Insider risk management in Microsoft 365
In this tutorial, we will get a brief overview of Insider risk management in Microsoft 365.
Insider risk management is a Microsoft 365 compliance solution that lets you notice, investigate, and respond to malicious and unintended activity in your business, reducing internal risks. It also allows you to define the sorts of threats you want to discover and detect in your company, as well as take action on cases and escalate them to Microsoft Advanced eDiscovery if required. Risk analysts in your company can swiftly take the necessary steps to ensure that users are adhering to your company’s compliance rules.
Modern risk pain points
Understanding the sorts of risks that exist in today’s workplace is the first step in managing and mitigating risk in your firm. Some risks are influenced by events and variables outside one’s own control. Risks from unlawful, unsuitable, unapproved, or unethical activities and acts by users in your business are just a few instances. A wide variety of internal dangers from users are included in these behaviors:
- Firstly, leaks of sensitive data and data spillage
- Secondly, confidentiality violations
- Thirdly, Intellectual property (IP) theft
- Then, fraud
- Insider trading
- Lastly, regulatory compliance violations
Further, Insider risk management is centered around the following principles:
- Firstly, Transparency: Balance user privacy versus organization risk with privacy-by-design architecture.
- Secondly, Configurable: Configurable policies based on industry, geographical, and business groups.
- Thirdly, Integrated: Integrated workflow across Microsoft 365 compliance solutions.
- Lastly, Actionable: Provides insights to enable reviewer notifications, data investigations, and user investigations.
Workflow
The insider risk management process assists you in identifying, investigating, and responding to internal threats in your company. You may leverage actionable insights to swiftly detect and act on problematic conduct with tailored policy templates, extensive activity signaling throughout the Microsoft 365 service, and alert and case management capabilities. Insider risk management in Microsoft 365 also employs the following procedure to detect and resolve internal risk activities and compliance issues:
1. Policies
Insider risk management policies are built using pre-defined templates and policy criteria that determine which triggering events and risk indicators in your business are analyzed. These conditions include how risk indicators are used for alerts, who is covered by the policy, which services are prioritized, and the duration of the monitoring.
2. Alerts
Alerts are generated automatically using risk indicators that satisfy policy conditions, and they are then shown on the Alerts dashboard. This dashboard gives you a rapid overview of all alerts that need to be reviewed, as well as open alerts over time and alert data for your company. To assist you quickly determine the state of current warnings and new alerts that require action, all policy alerts provide the following information:
- Firstly, Status
- Secondly, Severity
- Time detected
- Then, Case
- Case status
- Lastly, the Insider risk management alert dashboard
3. Triage
New user behaviors that require examination trigger notifications with the status Needs review. These alerts may be immediately identified, reviewed, evaluated, and triaged by reviewers.
Additionally, alerts may be resolved by creating a new case, assigning the alert to an existing case, or dismissing it. It’s simple to rapidly identify alerts by status, severity, or time discovered using alert filters. Reviewers can, as part of the triage process,
- View alert details for the activities identified by the policy
- View user activity associated with the policy match
- See the severity of the alert
- Review user profile information.
4. Investigate
For alerts that necessitate a more thorough examination and investigation of the activity details and circumstances surrounding the policy match, cases are produced. However, for your business, the Case dashboard gives a top-down view of all active cases, open cases over time, and case data. Selecting a case from the case dashboard, on the other hand, initiates an investigation and evaluation of the case. This is the most important phase in the insider risk management process. In addition, the following are the key investigation instruments in this field:
- Firstly, User activity. User activity automatically displays in an interactive chart that plots activities over time and by risk level for current or past risk activities.
- Secondly, Content explorer. All data files and email messages associated with alert activities are automatically captured and displayed in the Content Explorer.
- Lastly, Case notes: Reviewers can provide notes for a case in the Case Notes section. This list consolidates all notes in a central view and includes reviewer and date submitted information.
5. Action
Reviewers can move promptly to settle incidents or cooperate with other risk stakeholders in your business after researching them. If users unwittingly or intentionally break policy conditions. Then, using notification templates that you may edit for your business, a simple reminder message is delivered to the user.
However, you may need to share the insider risk management case information with other reviewers or services in your firm in more critical cases. Insider risk management works in tandem with other Microsoft 365 compliance tools to provide end-to-end risk management.
- Firstly, Advanced eDiscovery: Escalating a case for investigation allows you to transfer data and management of the case to Advanced eDiscovery in Microsoft 365. Advanced eDiscovery provides an end-to-end workflow to preserve, collect, review, analyze, and export content that’s responsive to your organization’s internal and external investigations.
- Secondly, Office 365 Management APIs integration (preview): Insider risk management supports exporting alert information to security information and event management (SIEM) services via the Office 365 Management APIs. However, having access to alert information in the platform the best fits your organization’s risk processes gives you more flexibility in how to act on risk activities.
Reference: Microsoft Documentation