Insider Risks – What are they and how can we mitigate them?

Hey everyone, it is my first article for the new year – I hope everyone had a great break over the Christmas period and a great new year.

In this article, I thought it would be best to focus on introducing the idea of Insider Threats, what they are, and how they can appear before briefly covering the capability that Microsoft offers to provide visibility and mitigate those threats.

Something that keeps coming up in my conversations are people airing concerns on perceived insider risks. The same questions come up – what do people deem insider risks, and will how I have configured my alerting and monitoring tools pick them up?

What is an insider threat?

In the before times (pre-covid), an enterprise would have the vast majority of its staff usually working from an in the office environment and have protections in place from simply being within the corporate perimeter network, and would have those controls enforced on the boundary of those networks. This allowed the environment to have strong perimeter defenses. The approach was to prevent bad actors from getting in and being granted access to the “Crown Jewels” of the environment (think highly confidential data) and to stop that data from being exfiltrated outside of the environment.

While these attacks still occur today and will continue to do so many years to come, it raises a question: will all of the controls you have invested in to protect your information still work if that attack or threat comes from inside your environment?

Insider risks are just that – risks that exist within your ecosystem.

How to identify insider risks

Being able to find and minimize the risks will typically start with trying to understand the risks that are found in an environment. External events can bring risks you have no real control over (like protests or earthquakes). Still, some can be minimized and avoided, providing the right visibility and action plan. These risks are often driven by internal events or activities from your user base, and those behaviors can lead to a broad range of internal risks, including:

– Both malicious and accidental leaks of sensitive data

– Intellectual property (IP) theft

– Regulatory compliance violations

That small list is by no means exhaustive; there are multiple examples of companies having been hit with an attack that came from an insider risk – such as the case of a formal employee of a medical packaging company that was let go in March 2020. As the case below walks through, after the user had been furloughed, they connected back into the company’s network, granted himself admin access and then deleted around 120,000 records. As a byproduct of this, significant delays occurred in delivering medical equipment to healthcare providers.

These risks can be malicious and accidental, such as the employee who fell for a phishing attack at an Australian University. Since COVID 19 started, there has been an increase in phishing and spear-phishing attacks. As a result, over 700 megabytes of data were stolen, including addresses, phone numbers, tax file numbers, payroll information, and student records.

How to mitigate insider threats

Currently, users need to have access to create, manage, and share data across a wide variety of different platforms, across other clouds and multiple devices. Organisations only have limited resources to find and act on these wider-ranging risks while ensuring that they meet these users’ privacy obligations. There is always the risk of running too much monitoring on end-users, causing them to think someone is watching their every move, especially when it comes to personal devices. This can have adverse effects, such as impacting productivity and company culture.

At Microsoft, we have capability included in our Compliance platform to monitor and alert on these risks – Microsoft Insider Risk Management. It uses the full breadth of the service and 3rd party indicators to identify, triage quickly, and act on those different risk activities. In addition, utilizing logs from M365 and the Microsoft Graph allows you to define specific policies to identify and manage your specific risk indicators.

Enabling this service is straightforward and doesn’t take a lot of time, and will conduct an evaluation of potential insider risks in the organization without configuring any insider risk policies. This provides fast insights into what potential areas of higher user risks exist within the environment and recommends the type and scope of some policies that you can consider configuring.

You can set up and select some of the pre-defined templates and policy conditions to get started quickly, such as:

– Data theft by departing users

– General Data leaks

– General security policy violations

– General patient data misuse

These policies will monitor activities based on what policy indicators you have selected. Once these have been detected, an alert will be raised.

These new alerts will be in the Needs review status. Internal staff will need to be triaged to be confirmed and a case raised for further investigation into the user’s activities.

In my next article I will dive deeper into what Insider Risk can achieve and what the different workflows look like in order to show off what this capability can do. It is coming into conversations more as time goes on, and I expect it to be a focus point for a lot of different companies over the next year.

Until next time, peace.