I’m leaving the company in a few days for my new COO position at an up-and-coming company in the industry. You know, the information I have in these Microsoft Sharepoint files could give my new company a competitive edge. Hmm… I think… maybe… I’ll just share them with my Gmail address…
True story. In a recent analysis of a client’s SaaS systems, we found a departing executive sharing over 30 sensitive data assets with a personal email address. This kind of insider risk management story, unfortunately, is not uncommon. Greed and spite, combined with ignorance and negligence, can put your organization’s data at risk from the people entrusted with legitimate access.
If your organization relies on Microsoft’s SaaS offerings, such as Microsoft 365, how can you protect your data from insider threat? Is Microsoft Insider Risk Management - Microsoft’s native insider risk management solution - effective in detecting and mitigating insider risk?
In this post, we’ll dive into the Microsoft Purview Insider Risk Management solution, and talk about where it can help to protect your enterprise data, and where it falls short.
Capabilities of Microsoft Insider Risk Management
Microsoft Insider Risk Management helps organizations detect, investigate and act on insider risks. It leverages various signals and intelligence from Microsoft 365 services to identify potential malicious or inadvertent activities posing risks to company data and compliance.
Microsoft 365 Insider Risk Management’s strengths include its abilities to:
- Enable setup of detection and enforcement policies
- Take HR data, like termination date, into account
- Integrate with Defender for Cloud Apps to give more relevant alerts
- Address insider risk in other SaaS applications
Let’s go through those one by one.
Enables setup of detection and enforcement policies
Using Microsoft Insider Risk Management requires the setup of insider risk detection and enforcement policies, using predefined templates to define the user activities you want to detect and investigate. When you set up a policy, you can define the:
- Risky actions to monitor for
- Specific conditions that must be met
- Users that should be included in the policy scope
- Prioritized content for monitoring (such as specific Sharepoint sites, sensitive information or file extensions)
These policy definitions guide the Microsoft Insider Risk Management solution on what to look for and how to respond.
Takes HR data, like termination date, into account
As in the story above, departing employees represent an increased risk of insider threat. Microsoft 365 Insider Risk Management offers a Microsoft 365 Human Resources (HR) data connector, which allows you to pull in human resources data from CSV files. HR data that can potentially be used and included in insider risk policy definitions includes:
- user termination dates
- last employment dates
- performance improvement plan notifications
- performance review actions
- job level change status
Using this information to define insider risk policies makes Microsoft Insider Risk Management more adept at spotting insider threats motivated by grievances or the hope to profit in a job position elsewhere.
Integrates with Defender for Cloud Apps to give more relevant alerts
Microsoft Defender for Cloud Apps is Microsoft’s native CASB (cloud access security broker) for Microsoft 365 security. It includes functions like data access control, alerts and remediation for data loss prevention (DLP) and identifying SaaS-to-SaaS shadow apps.
False positives are always an issue with security alerts, causing information security teams to waste time, misprioritize and develop alert fatigue that can lead to overlooking true threats. Since Microsoft Insider Risk Management assigns each user a risk severity level based on analysis of their recent activities, that information can bring more user context to Microsoft Defender, helping analysts to prioritize alerts.
Addresses other SaaS applications
The average organization currently uses 130 different SaaS apps, so it is very unusual for Microsoft 365 to be the extent of an organization’s SaaS environment. Insider risk is possible anywhere that your sensitive data is stored, which is… everywhere.
Even though Microsoft Insider Risk Management is focused on Microsoft 365 services, it can help combat insider risk in other SaaS applications as well, such as Box, Dropbox, Google Drive and GitHub. You can also import your own preprocessed, aggregated detections from security information and event management (SIEM) solutions that collect information from your other SaaS applications. Microsoft Insider Risk Management can then use those imported detections alongside its own, built-in detections.
Where Microsoft Insider Risk Management falls short
If you currently have no solution that monitors Microsoft 365 for insider threats, Microsoft Insider Risk Management is definitely an improvement. But it is far from perfect.
Here are a few of the areas where Microsoft Insider Risk Management is lacking:
- Needs lots of configuration to get helpful results
- Alerts and responses are nowhere near real time
- HR connector is a good start, but it’s limited
- Limited non-MS SaaS app coverage
- Limited involvement and education of end user
Let’s take a closer look at each issue.
Needs lots of configuration to get helpful results
Microsoft Insider Risk Management’s usefulness is entirely based on the policies that you set up, defining the user activities you want to detect and investigate. If you didn’t set up a policy to cover a particular type of risk, it could be happening right under your nose and you’ll never find out about it. Even if you did set up a policy, but you made a mistake in configuring the policy indicators, triggers, connectors, etc., the policy may not actually help you.
Now, “if you don’t tell the system to find something, the system can’t find it” may have made sense a few years ago - but not in an era of AI. When we designed DoControl, for example, we made sure that, out-of-the-box, AI can start learning your company and seeing what constitutes usual and unusual user activity. You’ll have some level of insider risk protection even if you don’t configure anything.
But even when using the “AI-based Adaptive Protection” available within Microsoft Insider Risk Management, you still need to configure custom risk levels, customize criteria that the risk level is based on, and then define conditions to control when the risk level is assigned to users - so that it can just start to work.
AI today can do better. And you should expect it to.
Alerts and responses are nowhere near real time
Microsoft Insider Risk Management uses Microsoft 365 audit logs for its risk management identifications and activities as defined in the policies. To extend to non-Microsoft 365 SaaS applications, as noted above, you need to export preprocessed, aggregated detections from your SIEM solution and then import them into Microsoft Insider Risk Management.
The upshot of all this is that it takes a long time from when a risky action actually happens until its identification as a problem and initiation of alerts or remediation, as Microsoft itself warns you.
But insider threats don’t wait. When it comes to unwanted data exposure, even a few minutes can be way too long; the data can have been shared, copied and moved on. Reducing MTTD and MTTR is extra important for insider threats related to data exposure, which is one of the reasons why we designed DoControl with an event-based API architecture. In event-based architecture, the SaaS applications themselves send updates to the risk management system as soon as any significant SaaS interaction happens, creating a near real-time awareness of the changing attack surface and potential threats.
HR connector is a good start, but it’s limited
Inclusion of HR data like user termination dates in the evaluation of insider risk is very helpful. The HR data pulled by Microsoft 365 Insider Risk Management’s connector, however, could be more comprehensive. HR information like user department, groups, office location, other members of the same team, etc. are usually found in HR information systems and should ideally be harnessed to give a fuller picture of the implications of a user’s activity and potential risk.
Additionally, IdP information often complements and/or completes the HR picture and should also be brought into the evaluation of user activity for insider risk.
Limited non-MS SaaS app coverage
While Microsoft Insider Risk Management does mention integrations with some major non-Microsoft 365 SaaS apps, such as Box, Dropbox, Google Drive, and GitHub (which is Microsoft-owned), the SaaS ecosystem and places where your sensitive data could reside is so much wider. Many organizations rely on Slack for team communication, for example. Unfortunately, sensitive data like encryption keys and access information often ends up posted in Slack channels, which are sometimes externally or publicly exposed. An insider risk management solution that doesn’t cover Slack is lacking an important component.
Limited involvement and education of end user
The most effective way to prevent insider threats caused by negligence is to heighten end user awareness of SaaS data security standards. While Microsoft Insider Risk Management’s Adaptive Protection component does let you send certain categories of users policy tips and education on best practices of handling sensitive data, it doesn’t enable you to directly involve users in the remediation process, missing an opportunity for hands on experiential learning that a user can’t ignore (unlike an entirely ignorable “remember this policy” message).
Be Proactive About Insider Risk Management
Microsoft Insider Risk Management provides a basic level of insider risk protection for organizations using Microsoft 365 - provided policies are set up promptly and accurately. If you want better coverage out-of-the-box, or if your data is sensitive enough that you need a near real-time response to threat, it’s worth looking for a more comprehensive insider risk management solution that can also cover those angles.