Manage Insider Risk in Microsoft 365 (part 1)

By Ashwin Venugopal -

 


For further details please click here


Insider Risk Management

Traditional approaches to identify insider risks like user behavior analytics, monitoring user activity, and data loss prevention always suffers from the limitations such as complex deployment scenarios, limited insights, and a lack of workload integration beyond SecOps. 

The Insider Risk Management solution in the Microsoft 365 leverages the Microsoft Graph, security services, and connectors to Human Resources (HR) systems like SAP, to obtain real-time native signals such as file activity, communication sentiment, abnormal user behaviors, and resignation date. The built-in policy templates allows you to identify and mitigate the risky activities while simultaneously balancing the employee privacy versus organization risks with privacy-by-design architecture. Finally, the end-to-end integrated workflows ensures that the right people across security, HR, legal, and compliance are involved to quickly investigate and take action once a risk has been identified. 

Risk Pain Points in the Modern Workplace

Managing and minimizing risks in your organization generally starts with understanding the types of the risks found in the modern workplace. Some examples of the internal risks from the employees includes:



  • Intellectual Property (IP) theft
  • Espionage
  • Leaks of sensitive business assets
  • Confidentiality violations
  • Sabotage 
  • Fraud
  • Insider trading
  • Code-of-conduct violations
  • Regulatory compliance violations

Insider risks vary by industry. In healthcare, internal fraud is the most frequently cited type of risk, while sabotage represents the greatest risk to the IT businesses.

Common Insider Risk Scenarios

The insider risk management solution in Microsoft 365 helps you to detect, investigate, and take action to mitigate internal risks in your organization in common scenarios, such as:
  • Data theft by departing employee- When employees leave an organization, either voluntarily or as the result of termination, there is often legitimate concerns that the company, customer, and employee data are at risk as the employees may either innocently assume that the particular project data isn't proprietary, or they may be tempted to take the company's data for personal gain and in violation of company policy as well as legal standards.

  • Leak of sensitive or confidential information- In the most cases, employees try their best to properly handle sensitive or confidential information but occasionally they can make mistakes and the information is accidentally shared outside your organization or in violation of your information protection policies. Sometimes the employees may intentionally leak or share sensitive and confidential information with malicious intent as well as for potential personal gain.

  • Actions and behaviors that violate corporate policies- Employee-to-employee communications are often a source of inadvertent or malicious violations of the corporate policies that can include offensive language, threats, and cyber-bullying between employees. This type of activity contributes to a hostile work environment and can result in the legal actions against both the employees and the larger organization.     

Insider Risk Management Workflow

Identifying and resolving the internal risk activities as well as compliance issues with the insider risk management in Microsoft 365 uses the following workflow:

  • Policies- Insider Risk Management policies determine which policies are in-scope and which types of the risk indicators are configured for alerts.

  • Alerts- Insider Risk Management alerts are automatically generated by risk indicators defined in insider risk management policies while providing the compliance analysts and investigators an all-up view of the current risk status as well as allow your organization to triage and take actions for the discovered risks.

  • Triage- Reviewers can quickly identify insider risk alerts and examine each to evaluate and triage. Alerts are resolved by opening a new case, assigning the alert to an existing case, or dismissing the alert.

  • Investigate- Cases are manually created from alerts in the situations where further action is needed to address an issue for an employee.

  • Action- After investigating the details of a case, you can easily take action by sending the employee a notice, resolving the case as benign, or escalating to a data or employee investigation. 


For further details please click here




Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more