Insider Risk Management

What is Insider Risk Management?

Insider Risk Management is a compliance feature within Microsoft Purview designed to minimise and audit the risk of internal, potentially malicious, risky behaviour such as an employee who is leaving the organisation copying corporate data to public or personal locations. The intent itself may not be malicious, it may just be an action that from an IT security perspective is considered risky behaviour that conflicts with company policy. It is for example plausible that a user would attempt to extract or copy data from a corporate device to a personal storage location such as OneDrive, or a USB drive so they could continue working on the file away from their corporate device. With this example, the intent isn’t malicious but the risk factor remains the same.

Working locations and devices have changed drastically over the last few years and there is much less of an emphasis on working within corporate network boundaries such as a static desktop PC within a corporate office, or being enforced to connect to a corporate VPN to complete work. Company data can be accessed from virtually any location on any device (if configuration permits), and with features such as Insider Risk Management you can retain and promote this flexibility whilst also being confident that any potentially risky actions (malicious or otherwise) can be determined and appropriate action taken.

Insider Risk Management is another tool in the armoury of an ever expanding set of features within Microsoft 365 that provide dynamic, intelligent and relevant security and compliance options to enable the future of modern work.

Licensing

Insider Risk Management features are available with the following license types –

• M365 E5/A5/F5/G5
• M365 E5/A5/F5/G5 Compliance add-on
• M365 E5/A5/F5/G5 Insider Risk Management add-on

Policy templates

Name	Indicators	Triggers	Suggested Scope
Data theft by departing users	Downloading files from SharePoint Online   Printing files   Copying data to personal cloud storage services	HR data connector events such as user departure date   Account deleted from AAD	Users who are leaving the organisation
General Data leaks	Downloading files from SharePoint Online   Printing files   Copying data to personal cloud storage services	DLP policy matches   Activity threshold values	Broad user base
Data leaks by priority users	Downloading files from SharePoint Online   Printing files Copying data to personal cloud storage services	DLP policy matches   Activity threshold values	Users who have high level access to data or have a history of violations
Data leaks by disgruntled users	Downloading files from SharePoint Online   Printing files   Copying data to personal cloud storage services	DLP policy matches   Activity threshold values	Identified activity taking place near to a ‘stressor event’ such as demotion, being placed on an improvement plan etc.
General security policy violations	Installing malware or other potentially harmful apps on devices   Disabling security features on devices   Physical access to priority locations, like a building or server room (only if a physical badging connector is configured)​   Browsing to sites involving hacking, keylogger, malware, phishing activities	Based on Defender for Endpoint evasion or an unwanted software security alert	Organisations with Defender for Endpoint in operation
Security policy violations by departing users	Installing malware or other potentially harmful apps on devices   Disabling security features on devices   Physical access to priority locations, like a building or server room (only if a physical badging connector is configured)​   Browsing to sites involving hacking, keylogger, malware, phishing activities	Based on Defender for Endpoint evasion or an unwanted software security alert	Organisations with Defender for Endpoint in operation and Users who are leaving the organisation
Security policy violations by disgruntled users	Installing malware or other potentially harmful apps on devices   Disabling security features on devices   Physical access to priority locations, like a building or server room (only if a physical badging connector is configured)​   Browsing to sites involving hacking, keylogger, malware, phishing activities	Based on Defender for Endpoint evasion or an unwanted software security alert	Organisations with Defender for Endpoint in operation and Identified activity taking place near to a ‘stressor event’ such as demotion, being placed on an improvement plan etc.
Security policy violations by priority users	Installing malware or other potentially harmful apps on devices   Disabling security features on devices   Physical access to priority locations, like a building or server room (only if a physical badging connector is configured)​   Browsing to sites involving hacking, keylogger, malware, phishing activities	Based on Defender for Endpoint evasion or an unwanted software security alert	Organisations with Defender for Endpoint in operation and Identified activity from users within the priority group(s). e.g. Users who have high level access to data or have a history of violations
Health record misuse	Accessing a family member’s health records   Accessing a neighbour’s health records   Accessing an unusual number of health records​   Accessing restricted health records​   Accessing another user’s health records	Detected activities	Requires the healthcare connector and HR data connector

Configuration

As a test I’ll configure a simple policy using the ‘General Data Leaks’ policy template.

1. Login to the Compliance Centre and navigate to ‘Insider Risk Management’ from the left hand pane

2. Select ‘Policies’ and ‘Create Policy’

3. Specify the required policy template

4. Select ‘Next’ and specify an appropriate name for the policy, and optionally a description

5. Specify the user scope of the policy, in this example ‘Include all users and groups’ to cover everyone

6. Optionally specify SharePoint sites, sensitivity labels and/or sensitive information types

7. Specify the trigger events as appropriate. For this example I’ll use the defaults – ‘Downloading content from SharePoint’, ‘Sending email with attachments to recipients outside the organisation’, and ‘Sharing SharePoint files with people outside the organisation’

8. Select the default thresholds for indicators, or use the specify custom thresholds if necessary. For this example I’ve used the custom thresholds and reduced all to 1, for the purposes of testing the policy

9. Select required policy indicators, or leave as all selected (I’ll cover these more in a further blog post)

10. Confirm the indicator thresholds are appropriate and continue. For this example, I reduced the ‘Downloading content from SharePoint’ values to lower values for the purposes of testing

11. Select the sequence detection options as required. These offer enhanced detection into possible risks on the basis of commonly suggested and seen risk sequential actions, such as ‘Download, exfiltrate, then delete’. For this example I’ve removed the sequence detection options.

12. Continue and review the summary. When happy select submit to create the policy

Note – as per the advisory when creating this policy, it can take up to 24 hours for policy matches to show in the Alerts tab.

Testing

To test the above policy works as expected, I used a test account within the tenant to download SharePoint files.

When an activity that matches the policy criteria is identified a new alert is presented in the Insider Risk Management interface

Further digging into the alert provides much more granular detail including –

• The activity that generated the alert
• The number of events
• User details
• Alert history for the user
• Activities

Within the Activity Explorer you can see detail such as –

• Individual activities, for example the files which were downloaded
• Triggering events
• Time and date stamps

The User Activity section contains detail of the Insider risk history of the user

Alerts need managing to ensure they are dealt with accordingly and don’t just accumulate in the portal.

For this example I’ve confirmed the risk to create a case.

Once a case is created it can be managed with actions such as –

• Create case notes
• Email the user
• Run an automated action via Power Automate
• Escalate and create an eDiscovery case
• Share the case
• Close the case

For this example, I’ve opted to send an email notice using a previously created email notice template

Once the case is considered closed, it can be officially closed by using the ‘resolve case’ option

The example above is simple, but policies can be very granularly configured in line with requirements including additional configuration such as sequence detection and device indicators. A simple alteration might be to increase the minimum threshold values. For example, downloading 10 files from SharePoint Online may be considered acceptable, but downloading 200 files from SharePoint Online would be indicative of more suspicious, potentially risky behaviour. An example of using some of the enhanced configuration would be indicators such as ‘using a browser to upload files to the web’, or ‘creating or transferring files to a network share’. Sequence detection criteria such as ‘Download then exfiltrate’, or ‘Download, exfiltrate, then delete’ offer the ability to be more specific in the criteria and prevent false positives.