Collaborative innovation on display in Microsoft’s insider risk management strategy
The disrupted work climate has forced companies to find new ways to allow their employees to function remotely. And this has changed both the organizational and security landscape. Managing insider threats, a dynamic undertaking even before the pandemic, and even more so in the current remote or hybrid work climate, is one of the top areas of concern.
The reach goes beyond protection as insider risk management requires multiple viewpoints and requires cooperation among the organization’s main stakeholders. As a Microsoft services provider, our insider risk management approach is focused on insights from legal, privacy, and HR departments. This also includes security professionals and data scientists. Enterprise will use AI and machine learning to sift through vast quantities of signals to identify potential insider threats.
Extending this partnership beyond Microsoft was also essential for us. For example, Microsoft has collaborated with Carnegie Mellon University for the past few years to bring insider risk knowledge and experience to provide insights into the broader landscape’s essence.
The new workplace environment provides revolutionary technologies that workers enjoy, enabling them to connect with agility, collaborate, and create. In this environment, the secret to creating a diverse, inclusive workplace and growing efficiency is to trust the workers. But, with confidence comes risk, too. An employee’s danger can infringe that confidence negligently by unintentionally leaking sensitive information on corporate communication channels. Or the possibility of an employee maliciously breaching faith by stealing intellectual property. In reality, a Crowd Research Partners survey reveals that 90 per cent of organizations feel vulnerable to insider attacks. In the previous 12 months, 53 per cent reported insider attacks against their organization.
We know from our own experience that it’s hard to maintain trust without the right visibility, processes, and control. However, the effort required to identify these risks and violations is not trivial. Think about the number of people accessing resources and communicating with each other and the natural cycle of entering and leaving the company. How easily can you assess the risk that is deliberate or unintentional?
And how do you achieve this degree of exposure when aligning the atmosphere with societal, legal and privacy requirements? For example, genuinely malicious insiders do things such as purposely robbing your intellectual property, removing security controls, or bullying others. But there are even more cases in which an insider does not even know that they are threatened or breach the rules while using Microsoft office 365 services.
Ultimately, to pursue the right course of action, it is necessary to see the actions and communications that have taken place in the sense of intent. By leveraging knowledge and machine learning, the only way to do this effectively and on a scale is because human-driven processes cannot keep up and are not always that precise. Practical cooperation across security, HR, legal and enforcement, and a balanced approach to privacy and risk management is needed for a holistic solution to this issue.
The collaboration between Microsoft and Carnegie Mellon University helped driving the Insider Risk Management product. This Microsoft 365 solution allows organizations to use machine learning to track, investigate and respond to malicious and unintended activities.
Partnerships with organizations like Carnegie Mellon University enable Microsoft to bring their rich research and insights into our products and services, so consumers can ultimately benefit from our wide range of signals.
Such researches allow the enterprise to experiment with novel ways of defining insider risk indicators. Inputs to the research-informed product roadmap are the results of such experiments. Our data scientists and analysts, for example, have been looking at using Microsoft 365 Defender threat data to obtain knowledge that can be used to handle insider threats.
Exfiltration detection to rival
This query allows businesses to identify malicious insider instances creating a file archive but instead email the archive to an externally coordinated “competitor.” Efficient query usage calls for previous knowledge of email addresses that could pose a danger for the business if data is forwarded to those addresses.
Exfiltration detection following termination
This question looks at instances in which a terminated person (that is, a person with an imminent termination date but who has not left the company) can download several files from a network address of a non-domain.
Steganography exfiltration detection:
This query identifies instances of malicious users attempting to produce steganographic images and then navigate to a webmail URL immediately.
To determine the indication of a malicious event through the co-occurrence of –
A. Generating an image steganography image, additional investigation is required; and
B. Browsing a webmail URL.
As these queries show, industry collaborations allow us to enrich our intelligence with other organizations’ depth of knowledge. It helps businesses solve some of the more significant challenges of insider risks through the product while more quickly delivering scientifically validated solutions through this open-source library to our customers.