News

Microsoft Giving Its Insider Risk Management Service an Upgrade

• By Kurt Mackie
• July 24, 2020

Microsoft is readying some new policy enhancements to its Insider Risk Management service for Microsoft 365.

Previews of the enhancements, including new policy indicators, templates and API integrations, will arrive for Microsoft 365 tenancies "in the coming days and weeks," according to an announcement this week.

Insider Risk Management, which uses machine learning to detect data leaks, intellectual property theft, insider trading, compliance violations and fraud, was commercially released in February. Using it requires having Microsoft 365 E5 licensing.

Some of the capabilities of Insider Risk Management also may depend on using other Microsoft services. Typically mentioned in that context are Microsoft's Advanced eDiscovery service, the Microsoft 365 HR Connector and the Microsoft 365 Data Loss Protection service.

New Policy Indicator Previews
At preview in Insider Risk Management are some additional "policy indicators" that can be added to so-called "policy templates" specifying what to check. Here are the new policy indicators, at preview, that can be added:

• Sharing files/folders/sites from SharePoint Online to domains marked "unallowed"
• Downloading content from Teams
• Emailing outside the organization to domains marked "unallowed"

New Template Previews
Microsoft also added some new templates in Insider Risk Management. The following new templates are at the preview stage:

• Data leaks by priority users
• Data leaks by disgruntled users
• General security policy violations
• Security policy violations by departing users
• Security policy violations by priority users
• Security policy violations by disgruntled users

On the final point, organizations can use the HR Connector with the Insider Risk Management service to "use additional HR insights that might indicate disgruntlement."

It's also now possible to customize the templates that Microsoft provides with the Insider Risk Management service. Customization can be done by adjusting the threshold numbers for the indicators within the templates.

New API Additions
The alerts that come from the Insider Risk Management service are getting added to the Office 365 Management Activity API. These alerts indicate things like the "severity and status" of a possible incident.

With this API integration, users of security incident event management solutions, such as Microsoft's own Azure Sentinel product, can get Insider Risk Management alerts, allowing actions to be taken. Alternatively, these alerts can be linked to Microsoft's Insider Risk Management service, permitting "further investigation."

In addition, Microsoft indicated that the Insider Risk Management service is "integrating with ServiceNow APIs," using that company's trouble-ticketing solution. The integration will permit "Insider Risk Management case managers to directly create ServiceNow tickets for incident managers," the announcement explained. 

Agentless Approach
Microsoft claimed that its signals intelligence, artificial intelligence and "deep learning" capabilities in the agentless Insider Risk Management service represent an easier approach than trying to use separate user activity monitoring and user entity behavior analytics solutions.

The signals come from Windows 10 and Microsoft Edge use, such as when files are copied, printed or transferred to a network file share. It's also possible to check when Edge is used to "download content from an unallowed domain" or a "third-party site." The service also will track the renaming of files on a device.

When Insider Risk Management is used with Microsoft Defender Advanced Threat Protection, it's possible to get "insights into whether someone is trying to evade security controls." Such actions might include "disabling multifactor authentication or installing unwanted software," Microsoft suggested.