Insider Risk Management

Every time I speak to someone about how they can potentially use a technology stack, there is something that we always need to address – what use cases can this technology help the user achieve, or what threats can it mitigate?

Insider Risk Management is, of course, no exception to this. In this article, I thought I would run through a quick overview on how Insider Risk Management works, and some of the scenarios and use cases that it can help mitigate.

Something else that has come up in some of my conversations is the difference between Insider Risks and Insider threats. The terms can change depending on who you speak to; sometimes, an Insider Risk is accidental data exposure, while an Insider Threat is the malicious side of things. In terms of this article, and when I speak about Insider Risk Management, please consider the two words to be interchangeable. 

What is Insider Risk Management?

Insider Risk is a Microsoft compliance solution that helps organisations minimise internal risks by detecting, investigating, and acting on malicious and accidental activities within an organisation. 

It uses risk policies to determine the types of risks that the organisation wants to identify, detect and respond to raised cases and escalate this activity to Microsoft Advanced eDiscovery if needed. 

I usually describe it as a sort of correlation engine within M365. It can take telemetry from all different areas in M365 and then correlate it to come back with a risk profile and baseline for individual users – if those users act outside of the baseline or act in a way that the system deems to be malicious. Insider Risk Management then raises an alert for that activity. 

Insider Risk Management Alerts

These are simply the first stage of an investigation where an analyst can perform triage and quickly determine an action, whether this alert is a false positive or expected behaviour. In which case the alert can be closed at this level, or if the alert could potentially be a significant issue – escalate the case for additional investigation.

Insider Risk Management Cases

Once an alert is triaged and escalated, it becomes a case for activities that need a deeper review and investigation of activity details and circumstances around the policy match – selecting a case is the heart of the Insider Risk Management workflow. This area has all of the information needed to investigate the activity in-depth. It correlates all the associated risk activities, policy violations, alert details and user details so that the analyst has that additional visibility to perform the investigation. 

There are a few primary tools here to perform this investigation:

– User Activity: The associated user activity is displayed in an interactive chart that plots the activities over time and by risk level for current and past activities. The analyst can quickly filter and view the entire risk history for the user and drill down into specific activities for more details.

– Content Explorer: All of the data files and email messages associated with an alert is automatically captured and surfaced in the content explorer. The analyst can filter and view these files and messages by data source, file type, tags, conversations, and many different attributes.

 – Case Notes: As with any investigation, we need to have an area where the analyst can capture their notes. It consolidates all of the notes for a case in a central view and includes the analyst and date submitted information.

NOTE: The username and user profile of these investigations can be pseudo-anonymised so that the analyst can’t tell who the end user is – just something to keep in mind.

Actions

After the case is initially triaged and investigated, the analyst will need to act to resolve the issue quickly or to collaborate with other users in the organisation (think HR, potentially legal). 

There are typically two forms of Insider Risks – accidental and malicious. Suppose this case has found that the user has accidentally or inadvertently violated these policy conditions. In that case, the analyst might send a reminder notice to the user to advise them of the activity and how they can prevent it in the future – and you can use notice templates for this. They can serve as reminders or might direct the user to some refresher training or guidance to help prevent risky behaviour in the future. 

However, if the situation is determined to be malicious, the analyst might need to share the case information with other reviewers or staff in the organisation. In this case, we have a few options to escalate:

– Advanced eDiscovery: This allows you to transfer data and management of the case to Advanced eDiscovery. It provides an end-to-end workflow to preserve, collect, review, analyse, and export content to people responsible for internal or external investigations, such as legal. It then allows those teams to manage the entire legal hold notification workflow.

– O365 Management API Integration (currently in preview): The system supports exporting alert information to SIEM services such as Sentinel via the O365 Management API’s. This information presented in a SIEM can provide additional flexibility in reacting to these risk activities.

– Power Automate: Insider Risk Management can utilise Power Automate to trigger automated workflows as an action in a case and has some built-in flows that you can leverage – as well as create your own custom flows.

Use Cases and Policy Templates

There are some common uses cases that Insider Risk Management has built in to detect and mitigate, and I will go through these below:

Data Theft by Departing Users

Users leave organisations all the time – either voluntarily or due to termination. There can be legitimate conversion that confidential data can be at risk in these cases. As I mentioned in my previous article, this occurs very often, and it can be hard to track down or prevent. Users often innocently assume that project data isn’t sensitive, or they might be tempted to take company data for their gain and are purposefully looking to breach company policies or legal regulations. 

This policy template automatically detects activities typically associated with this type of data theft. With this policy configured, the analyst will receive alerts for suspicious activities related to data theft. To leverage this policy template, you will need to configure a Microsoft 365 HR connector so that the system has the information required to determine whether a user is departing soon or not – things like final date of employment, for example.

General Data Leaks

Users are empowered to create, store and share information across services and devices that make managing data leaks more difficult. With an assigned Data Loss Prevention (DLP) policy, built-in or customisable triggering events, this template starts scoring real-time detections of suspicious SharePoint online data downloads, file and folder sharing, printing files and copying files to cloud messaging and storage services.

You can assign a DLP policy to trigger indicators into the Insider Risk Management policy for high severity alerts with data leak templates. The insider risk policies created with this template will automatically examine the high severity alert when a signal is triggered. You can also choose to assign selected indicators as triggering events for these policies, allowing for the flexibility and customisation an organisation might require to help scope the policy to only the specific activities covered but those indicators. 

General security policy violations

Users might have permission to install software on their devices or modify settings to help with their daily activities. Now, either inadvertently or maliciously, they might install malware or disable security functionality that helps protect information on the device or different network resources.

This policy uses Defender for Endpoint to score these activities and focus detection and alerts in this risk area. Organisations can use this template to provide insights for security policy violations in scenarios where a user might have a history of security policy violations that could indicate that the user is an insider risk.

Keep in mind this policy that you need to have Microsoft Defender for Endpoint configured and enable its integration with Insider Risk Management to import security alerts.

General patient data misuse

Protecting healthcare record information and revenging the misuse of patient data is a huge concern for organisations in the healthcare industry. These misuse events can range from confidential data leaks to the malicious theft of healthcare records that can be used to either blackmail patients (in certain circumstances) or sell out on the dark web. 

Preventing this misuse, either by a lack of awareness, negligence, or fraud by users, is crucial to meet several regulatory requirements – including HIPAA and HITEC – as these establish the conditions for safeguarding patient protected health information. 

This policy template enables risk scoring on internal users that are detected performing suspicious activities associated with records hosted on existing electronic medical record (EMR) systems. The detection focuses on unauthorised access, viewing, modification, and exporting this patient data. To do this, you will need to configure a connector (either the Microsoft Healthcare connector or Epic connector) to support detection of access, exfiltration and obfuscation activities in the EMR system.

Summary

Hopefully, what I have explained in this article provides a clear picture of Insider Risk Management and how it works and provides some use cases you might want to implement. This list is by no means exhaustive. We also have the option of configuring additional custom policies using indicators that an organisation may deem relevant – but that’s outside the scope of what I wanted to run through. 

Insider Risk Management is one of those technologies you can enable very quickly and get that additional visibility an organisation needs to detect and mitigate Insider Risks. Suppose you are licensed for it or can spin up a trial. In that case, I recommend enabling it and seeing what insights you get into your environment – the majority of customers I see find things within their environments that they didn’t expect. In some situations, it has saved them from potential data breaches simply by enabling the capability. 

I am always completely open to feedback on these articles – if you find it useful, please let me know.

Peace.