By Gavin van Niekirk, Cybersecurity Practice Lead, Quorum
To help manage Insider Risk, Security and more whilst your team is working remotely and within the office, find out more here through our Navigating the New Normal Series.
In Cybersecurity, just as with any professional sport (jest), you must stay on top of your game, otherwise… (well, you know, we are not going to beat that drum today). Recently I have been evaluating Microsoft’s latest capability, aptly named Insider Risk Management. (TLDR – enhances security intelligence signal using identity data from authoritative sources such as HR, Student Information Systems, etc. Available within the M365 E5 bundle or M365 E5 Compliance SKU’s.)
I confess that I did find myself wondering if Insider Risk is a broad-spectrum problem and frankly worth the effort of integrating to bolster existing cybersecurity insight and effectiveness. I set out to do some further research and unpack my thoughts.
I am well-versed in the vast capability that Microsoft brings to the table when considering cybersecurity and the “Microsoft Intelligent Security Graph.” The Microsoft Intelligent Security Graph is the nerve centre or brain of the operation which receives a lot of signals (~Trillions) from various sources to determine patterns, threats and trends as they relate to cybersecurity. These signals in combination with advanced machine learning algorithms provide time sensitive and effective security intelligence to components such as Microsoft Defender Advanced Threat Protection (EDR), Azure Sentinel (Cloud SIEM), as well as several others. The security intelligence empowers these services to bolster the insight of Security Operations Teams because as we know “minutes matter”.
Do I need more cybersecurity signal?
I believe that yes, every organisation faces a lot of similar cybersecurity challenges i.e. phishing, malware, etc. Organisations are also unique (considering cybersecurity signals); we have known for a period now that “Identity” is the new security boundary. Therefore, it inherently makes sense to bolster signal with organisation-specific identity information.
Insider Risk Management, an excellent and welcome addition to the Microsoft Compliance Suite, enhances security intelligence signal using identity data from authoritative sources such as HR, Student Information Systems, and other similar platforms. These systems hold vital information that can be used to bolster the existing broad spectrum of security signal data that resides within the Microsoft 365 ecosystem.
Insider risk management in Microsoft 365 uses the full breadth of Customer, Microsoft, and 3rd-party indicators to evaluate signal against defined policies to identify risk indicators, these policies allow customers to identify risky activities and to take action to mitigate these risks.
What do the analysts say?
Recently I was reviewing the Verizon 2020 Data Breach report which highlighted some very pertinent findings. The report states that insider attacks account for 30% of breaches (yes the vast majority is still external), but another blog points out that:
“We would caution the reader not to make the mistake of believing that the number of threats from a particular origin equates to the size of the risk presented by those threats: one insider attack could potentially cause ten times the harm of an external attack, depending on the nature of incident”.
What is the use-case for Insider Risk?
Managing and minimising risk in your organisation starts with understanding the types of risks. We will not discuss external risks, but other risks that are driven by internal events and employee activities that can be reduced, and ideally avoided. We can consider a broad range of internal risks from employees:
- Leaks of sensitive data and data spillage
- Intellectual property (IP) theft
- Insider trading
In most cases, organisations have limited resources and tools to identify and mitigate organisation-wide risks while also meeting employee privacy standards. Insider risk management fills this gap by enabling organisations to identify, investigate, and take action to address internal risks.
What do I need to get Insider Risk Management?
As with any solution platform planning, testing and validation are key but the below provide some high-level pointers:
- Work with stakeholders in your organisation: Identify the appropriate stakeholders in your organisation to collaborate for taking actions on insider risk management alerts and cases.
- Plan for the review and investigation workflow: Select dedicated stakeholders to monitor and review the alerts and cases on a regular cadence in the Microsoft 365 compliance center.
- Understand requirements and dependencies: Microsoft 365 E5 subscription, Microsoft 365 E3 subscription + the Microsoft 365 E5 Insider Risk Management add-on, Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on.
- Test with a small group of users in a production environment: Before enabling the solution broadly in production, test policies with a small set of production users while conducting for the necessary compliance, privacy, and legal reviews in your organisation.
In summary, I believe that Insider Risk Management will go a long way to bolster the capability of Security Teams, Risk Teams, and Compliance Teams within organisations as we seek to manage and ideally reduce that 30% metric.
While every organisation is different and each journey will be unique, a security model is most effective when integrated across the entire digital estate. Most organisations will need to take a phased approach that targets specific areas for change based on their cybersecurity maturity, available resources, and priorities. To find out more about how Quorum (a member of the Cloud Collective) can help you to both identify cybersecurity challenges and develop practical, cost-effective solutions, contact us today.
