A closer look at Insider Risk Management in Microsoft 365

Most people, when considering Microsoft 365 cybersecurity will immediately think of malware, hackers, phising and other external threats. And so they should. And Microsoft 365 offers many components to combat these threats. But if we take a more holistic look at security, compliance and risk and take more aspects into account, we need to consider another threat. And this time it’s coming from the inside: insider risk.

Insider risk is a threat to the security or information of an organisation that comes from the people within that organisation. These can be (former) employees, temporary employees, contractors or any other person with access to the organisation’s data, information and systems.

The risk involved can be data theft, harassment, fraud, accessing systems without proper authentication or data leakage. Some of these threats might be because of negligence. People are unaware of the possible risks when accessing and working with sensitive data. But the more important ones are threats by malicious actors. These might be disgruntled employees trying to remove the organization’s (sensitive) information before leaving themselves. Others might have alternative reasons for accessing intellectual property and downloading it a-mass. Another example is a contractor who worked for the organisation for some time and has access to many (confidential) locations. When the contract is no longer extended, she might consider taking a lot of documents with her to a next client. `

Microsoft 365 offers a lot of functions to protect our (important) data, even against these insider threats. To name but a view: information protection, data loss prevention and the (now in preview) endpoint DLP. And there are more to come. Most of these functions allow for alerting or have a form of audit-trail. Data loss prevention, for example, has alerting as a standard component. Information protection allows for an activity overview of information being classified or de-classified. But these are more or less seperate functions. Some of these might trigger false-positives or are simply less relevant. For example: sharing with a guest-user from SharePoint when this is allowed, is not a problem. It might become a problem when you’re sharing more then 100 documents from the same site in one day.

From a security and compliance perspective, you want to be able to correlate many signals and these might signal a malicious internal actor who’s exfiltrating information. And with the new Insider Risk Management solution you are able to do just that.

The Microsoft 365 Insider Risk Management [IR] solution is part of Microsoft 365 E5, the Microsoft E5 compliance add-on or the Insider Risk add-on for Microsoft 365. If you want to use the device based indicators, you will need to be able to onboard Windows 10 machines to Microsoft Defender ATP as-well.

In order to use the Insider Risk Management portal and configure policies, you will need to have account that has the Insider Risk Management Analysts and Insider Risk Management Investigators role. Users with this role be be automatically assigned to cases. Also, any user which needs to be investigated does require the IR license.

The IR Management solution aggregates many signals which may be related to insider risk activities.

These signals allow the security and/or compliance people within your organisation to set specific risk-policies. These policies will generate alerts and these can end up as cases to be investigated by your compliancy, legal, security and HR people.

The policies are based on the functions within Microsoft 365 and include:

• Sharing documents from SharePoint to people outside of the organisation;
• Sharing folders from SharePoint to people outside of the organisation;
• Sharing folders from SharePoint to people outside of the organisation;
• Downloading content from SharePoint;
• Downloading content from Teams;
• Sharing sensitive information in Teams;
• Sending emails to people outside of the organisation;
• Device based activities like printing, copying to USB, renaming files, moving files, etc.

But first, let’s take a look at the dashboard. The dashboard gives you an overview of all detected alerts (based on you policies), ongoing cases, your policies and the users which have triggered the alerts. You also see a section called “Notice templates”. Here you can create templates for notices (duh…..) which you can use when e-mailing the specific users. One other option you might notice at the top-right is called Insider risk settings and that’s were we are going to start.

Insider Risk Settings
These settings are defaults for your investigations. Some can be modified when you are creating specific policies, and some cannot.

• Privacy – this allows for the anonymisation of the user. This is by default and very powerful. However, you can choose to display the correct user-name;
• Policy indicators are used to detect specific actions – these can be modified in a policy;
• The same goes for the policy timeframes. These timeframes are used from the moment an alert is triggered and will retrieve events from the past and keep recording events for the specific timeframe;
  Intelligent detections configures amongst others the number of alerts are presented to you, based on the severity;
• Export alerts allows you to use SIEM platforms;
• Priority users groups contain users which (because of their position in the organisation, for example), require more attention;
• Priority physical access – this one is great – using this setting, you can retrieve alerts from physical locations (using things like a badge-reader);
• Power Automate Flows – Insider Risk has several default Flows which you can use to create workflows around the cases;
• Microsoft Teams – you can use this setting to automaticaly create a Teams environment when you open a case. This allows for better collaboration around the case.

Alerts
In this part of the dashboard you see all alerts (open or needing review). When you open an alert, you will see the details of this alert – including the user’s activities. This activity is also displayed in the case.

Cases
When you are certain that these activities requires more scrutiny, you can open a case. If you have configured Microsoft Teams to be used, than a specific Teams environment is created as well. You provide a name for the case (this will also be the name of the Teams environment).

In the Cases overview, you will be presented with several options. One of these is to resolve the case, when needed. You can also go directly to the Microsoft Teams environment. The case also displays the related alerts. Two of the most important parts of this overview though, are the User Activities and the Content explorer.

The User activity dashboard is a very comprehensive overview which indicates which activities triggered the events. These events are presented using circles. The larger the circle, the more activities that are presented. When you open one of these circles, the activities are presented.

You can scroll through time to investigate the relevant activities. When you open an activity (by simply selecting it), you will be redirected to an overview of the items related to the activity (for example, the files shared externally from SharePoint). The specific Content Explorer overview shows you all items related to the case. You can open each individual document and/or the metadata.

The Case note tab shows you any activity for this case. These are normaly auto-generated, but you can add your own notes.

The Contributors is the location where you can configure who are assigned to this case. Normally these are users with the Insider Risk Management Analysts and Insider Risk Management Investigator roles. But you can add other users as-well.

Policies
Let’s take a look at creating a risk-policy. A policy contains the events you want to detect and is assigned to specific (or all) users. When you create a policy, you first have to choose the kind of policy. IR offers several out of the box policies for data theft, data leaks and security policy violations. These policies contain specific conditions and indicators. Beware that some of these policies require either a connector to your HR system or Microsoft Defender ATP to detect activities on the endpoint.

The risk-policy can be set to detect any or all of these activities, detect specific number of activities and look for specific information. When you want to have a policy based on specific information, you can use either the configured sensitivity labels or use your sensitive information types. These even include custom information types. Do note however, that you can select up to 15 types and/or 15 labels in one policy. You can also specify which specific SharePoint sites you want to include in the policy. The last item to configure is the timeframe. Once this is set, the policy is active. It might take up to 24 hours though before you will start to see results.

Follow up
If the case warrants further investigation, you can either use the Teams environment to work on the case. Or start an advanced eDiscovery case by “escalating”. Or you can just resolve the case 🙂

You can also use Power Automate Flows (which has specific IR based templates) to automate part of the process.

Mitigating insider risk is as important for your security & compliance posture as is defending against threats from the outside of your organisation. Preventing these risks by using data loss prevention, information barriers and information protection needs to be part of your arsenal. But in case you do need to look further, then Insider Risk Management is one option to really look at. I would say that this will normally be the case in highly regulated environments (banking, other financials, government), which in most cases also have the required licensing in place.

If you want to know more about this offering, then check out this article.