Many businesses are under the impression that the biggest risk to their data security comes from external cyber-attacks breaching their perimeter. In our experience investigating security breaches, however, we can confidently say that equally damaging threats can often come from within.
Whether you’re talking unintentional data spillage, malicious IP theft, confidentiality breaches, regulatory compliance violations, insider trading or fraud, the ramifications of undesirable user activity can be catastrophic for an organisation’s operations, finances and reputation. But how do you protect against threats that are already inside your security perimeter?
The Role of Proactive Threat Detection
The first line of defence against insider threats should always be a comprehensive security and governance strategy. However, even the best security net has limits, which is where proactive threat detection comes into its own.
By monitoring user behaviour for suspicious and/or undesirable activity, organisations can better detect insider threats that have accidentally or intentionally slipped past their other security measures – ideally before they become full-blown incidents requiring investigation or eDiscovery. The challenge lies in achieving this kind of monitoring at scale. However, many businesses running a Microsoft 365 environment already have the necessary tools ready and waiting.
Microsoft 365 Insider Risk Management
Insider Risk Management (available on E5 licenses or with the Microsoft 365 Compliance add-on) enables organisations to proactively detect, triage and respond to suspicious user behaviour.
It does this by monitoring user activity for risk indicators that match an organisation’s pre-defined policy conditions or trigger events. These conditions can be customised to specific high-risk individuals – e.g. exco users, disgruntled employees, departing users, participants in sensitive projects, etc. – or applied organisation-wide. With the right setup, they can flag everything from regulatory violations to the sharing of specific file types and the use of unapproved external hard drives or devices.
If a user’s activity matches a trigger event or policy condition, an alert is sent to the appointed administrator. (Alerts can be anonymised to preserve privacy and/or confidentiality if necessary.) The alert will contain a risk severity level (high, medium or low), status (e.g. needs review) and detection time, as well as any links to current or past cases under investigation.
From here, the incident can either be resolved immediately based on a review of the alert conditions or a case opened for deeper investigation of the participants, timelines and content relating to the potential threat.
Cases can also be escalated for eDiscovery within Microsoft 365 or to a third-party service provider like Salient, who can deploy deeper investigatory and analysis solutions to explore the threat, if deemed necessary.
Deployment Considerations
Like most technology, Insider Risk Management is only as effective as its planning and implementation. Getting it right (without stepping on any regulatory toes) takes collaboration between a number of stakeholders, including IT, Compliance, Privacy, HR, Legal, Forensic and Security departments.
Important details to hammer out include:
- Compliance and privacy requirements
- Review and investigation workflows
- Roles, responsibilities and access permissions
- User license requirements
- Policy template dependencies, such as:
- Microsoft Dynamics 365 HR connector configurations (required by data theft by departing users and disgruntled user templates)
- DLP policies defining sensitive information (required by data leak detection template)
- Microsoft Defender for Endpoint integration (required by security policy violation template)
(An experienced technology partner can be invaluable in planning and optimising an IRM deployment. Salient’s sister company, Cloud Essentials, can provide more detail on this process – get in touch).
The Benefits of Early Warning
Insider Risk Management doesn’t restrict or change user behaviour – that’s for your security and governance policies to do. Instead, it acts as an early warning system to alert you to undesirable behaviour as it happens.
In the case of minor policy infringements or accidental missteps, this means incidents can often be resolved immediately, with users appropriately educated and little lasting harm done to the business.
For more serious or widespread violations, early warning allows organisations to curtail nefarious activity as quickly as possible (limiting damage, compliance transgressions and the risk of litigation) and/or trigger investigations before the evidence trail grows cold.
We believe this kind of proactive – rather than reactive – strategy is the future of data protection and governance. Learn more about proactively mitigating compliance and litigation risks to your business, here.