Cloud Confidential

Here is a quick overview of Insider Risk Management (IRM) and Microsoft Defender, two key tools in Microsoft's Zero Trust framework. It's crucial to understand the differences between these tools because each one serves a specific purpose in protecting your organization. By leveraging their unique features, you can create a more effective and comprehensive security strategy. Let's see how they complement each other and why you might choose one over the other in different scenarios.

Insider Risk Management (IRM) focuses on monitoring and alerting on risky behavior, such as data exfiltration and data leaks. It has a wide range of risk indicators, including unusual file downloads, sharing data with unauthorized sites, and more. However, IRM does not stop these actions; it only alerts you after they happen. This means you might catch data leaks after the fact, which can be too late if the damage is already done.

In contrast, Microsoft Defender takes a more proactive approach. It can enforce policies to prevent certain actions, like automatically suspending a user's account if they download too many files. Therefore, Microsoft Defender plays a proactive role in defending your organization.

So, why would you still need IRM if Microsoft Defender is more proactive?

One unique feature of IRM is the HR Connector, which allows integration with HR systems to monitor activities such as employee terminations or resignations. This helps in identifying potential insider threats that could be associated with such events.

Additionally, IRM offers a Case Management Solution, enabling organizations to investigate and manage insider risk cases comprehensively. This includes escalation paths, progress, and ensuring proper resolution of each case.

While Microsoft Defender is more proactive and is an invaluable tool for real-time protection, it can also have drawbacks.

If you're not familiar with the usage patterns of different users or don't have the time and resources to establish detailed policies, you might inadvertently disrupt legitimate work.

For example, field workers or employees visiting clients might need to download large numbers of files. If their accounts are suspended due to a policy, it could prevent them from doing their job and hurt the business.

IRM will help you understand your organization's usage patterns. For example, if you don't know how users typically interact with M365, IRM can reveal these patterns. This insight is crucial, especially when setting up security measures, as it helps you see what's normal and what needs correction. Users are anonymized in IRM, which means that while it monitors the usage patterns and potential risks associated with M365, it does so without compromising user privacy. This anonymization helps ensure that individuals' identities are protected, allowing organizations to gain insights into behaviour trends and potential threats without infringing on personal privacy.

IRM provides valuable insights into potential risks, but it doesn't have the power to prevent them. Defender, on the other hand, can take immediate action but requires careful configuration to avoid disrupting normal business operations.

The risk indicators in Insider Risk Management (IRM) are organized into categories that help you monitor different types of activities. These categories are similar to the various components of Microsoft Defender, each designed to protect a specific area of your organization.

This alignment helps create a comprehensive security strategy by covering all potential risks, whether they're from insider actions, external threats, or cloud activities.

Versioning in SharePoint tracks changes to documents, making it a valuable feature for collaboration and document management. However, it's not always necessary.

Here are some scenarios where turning off versioning can be a valid choice:

Final Documents: Once policies or documents are finalized and approved, they are published as the official version for everyone to use. Disabling versioning ensures that everyone accesses the same official document, avoiding confusion with drafts.

Consistency: Maintaining only the final version of documents ensures that users are on the same page, preventing the use of outdated or incorrect drafts.

Save Space: Versioning can consume a significant amount of storage, especially for large files or documents that are frequently updated. For static documents like policies, this additional storage isn't needed, and disabling versioning can help save space.

Regulatory Compliance: Some regulations may require that only the final, approved version of documents is retained. This simplifies audits by having one up-to-date version, ensuring compliance with regulatory standards.

Solo Projects: In scenarios where only one person is working on specific documents and there isn't a collaborative process, versioning might be unnecessary. In such cases, tracking multiple versions isn't needed, as the sole author controls the document.

Content Migration: Turning off versioning can simplify the migration process. Migrating only the latest version of documents can speed up the process, particularly in environments where libraries contain many versions. For example, I've seen libraries with up to 30,000 versions of documents, which can complicate migration efforts. If historical versions are not required in the new environment, moving just the latest version makes sense.

Microsoft has recently introduced a series of new features and updates for their Insider Risk Management (IRM) Portal, enhancing its capabilities to better protect and manage internal data security. These updates include new tools and features aimed at detecting and mitigating potential insider threats more effectively.

Below is a spreadsheet that I compiled to provide a clear view of the feature release schedule. In this schedule:

• R stands for features that have been released.

• P indicates features that are currently in preview.

  
  

This spreadsheet allows for easy tracking of when new features become available, helping you stay informed about the latest advancements in insider risk management.

July 2024 - Enriching Insider risk management with Communication compliance as an indicator

Enhance Insider Risk Management by incorporating communication compliance policy matches as a new indicator for detecting various communication risks, including inappropriate text. Additionally, our system now extends its capabilities to identify potential financial regulatory compliance breaches and violations of any custom communication compliance policy on Teams, Exchange, Yammer, Copilot for Microsoft 365, or third-party channels. This expansion ensures a comprehensive approach to risk detection in diverse communication scenarios.

July 2024 - Adaptive Protection - Multi-policy selection

Admins can now select multiple Insider Risk Management policies in the "Risk levels for Adaptive Protection" settings to assign risk levels in Adaptive Protection. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy

July 2024 - Adaptive Protection in Gov Cloud

Adaptive Protection will now be available in Government clouds. Adaptive Protection is a capability of Microsoft Purview that dynamically assigns appropriate Data Loss Prevention policies to users based on the risk levels analyzed by the machine learning models in Insider Risk Management. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default and role-based access controls and audit logs are in place to help ensure user-level privacy.

August 2024 - Granular exclusion

Granular exclusion allows admins to adjust and fine tune indicators according to organizational preferences to help tailor the detection of risks that may lead to a potential security incident. For example, admins can configure the indicator “sending email with attachments to recipients outside the organization” to only detect emails sent to personal domains (e.g. outlook.com). In that way, admins can reduce the number of false positives. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

August 2024 - Progressive alert scoring

With this new feature, user activities that could potentially result in data security incidents will be assessed more frequently within a 24-hour period compared with the current practice of once every 24 hours. Alert insights will now be updated every few hours with this increased frequency, providing designated analysts with timely alerts and continuously evolving insights. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

August 2024 - Cumulative Exfiltration Tuning

With this update, Cumulative Exfiltration Activities will not be detected and scored if the events have already been detected in a previous Cumulative Exfiltration Activity risk. This change will reduce noise for alerts generated from Cumulative Exfiltration Activity.

August 2024 - Policy wizard enhancements

To enhance the user experience for editing and creating policies, we will be making improvements to the Trigger, Trigger threshold, Indicator threshold, and Summary pages of the policy wizard. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

August 2024 - Global exclusions

With this update, all exclusion features currently found under intelligent detections will be relocated to a new tab labeled "Global exclusions" within the insider risk settings. All previously added exclusions in intelligent detections will be migrated to this new tab. The functionality of exclusions remains unchanged. Moreover, admins with appropriate permissions can now add exclusion via defined detection groups, which contain similar entities like domains or file types. This new tab is designed to enhance usability and offers a convenient way to access and manage exclusions. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

September 2024 - Security policy violations by risky users

Enabled by the HR 1.2 connector, this policy template detects security violations by users near a stressor event. Includes activity generated by Microsoft Defender for Endpoint alerts, which detect possible security violations performed on devices on devices onboarded to your organization. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, security and policy violations, and more. Built with privacy by design, users are pseudonymized by default, and role-based access controls.

September 2024 - Policy deletion enhancement

With this update, admins with appropriate permissions can delete all associated alerts, cases, and users in scope when deleting a policy to help quickly reset and remove inactive policies. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

September 2024 - Microsoft Defender for Endpoint alerts

Enables you to import indicators from Microsoft Defender for Endpoint related to unapproved or malicious software installation or bypassing security controls. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, security and policy violations, and more. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy. Note: We are updating this item to reflect changes to this deployment. We appreciate your patience.

September 2024 - Security policy violations by departing users

"Detects security violations by departing users near their resignation or termination date. Includes activity generated by Microsoft Defender for Endpoint alerts, which detect possible security violations performed on devices onboarded to your organization. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, security and policy violations, and more. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy. Note: We apologize for the shifted timeline.  We do appreciate your patience and understanding. Note: We are updating this item to reflect changes to this deployment. We appreciate your patience.

September 2024 - Security policy violations by priority users

Detects security violations by users included in a priority user group. Includes activity generated by Microsoft Defender for Endpoint alerts, which detect possible security violations performed on devices on devices onboarded to your organization. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, security and policy violations, and more. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy. Note: We apologize for the shifted timeline.  We do appreciate your patience and understanding. Note: We are updating this item to reflect changes to this deployment. We appreciate your patience.

September 2024 - General Security Policy Violations

Detects security violations by users included in a priority user group. Includes activity generated by Microsoft Defender for Endpoint alerts, which detect possible security violations performed on devices on devices onboarded to your organization. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, security and policy violations, and more. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy. Note: We apologize for the shifted timeline.  We do appreciate your patience and understanding. Note: We are updating this item to reflect changes to this deployment. We appreciate your patience.

September 2024 - Microsoft Fabric risk indicators in Insider Risk Management

With this update, Insider Risk Management extends its risk-detection capabilities to Microsoft Fabric products by offering ready-to-use risk indicators based on user activities in Power BI. Organizations can use these new indicators in data theft and data leaks policies. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

September 2024 - Real-time policy tuning analysis

Policy tuning analysis provides admins with a real-time prediction based on the number of users that could match a given set of policy conditions. It helps organizations efficiently adjust the selection of indicators and thresholds of activity occurrence, so they don’t have too few or too many alerts from a policy. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

October 2024 - Exfiltration of business sensitive data to free public domain emails

In this update, we are enhancing the existing email insight alerts to provide additional information when business-sensitive data is potentially leaked from a work email account to a free public domain email, potentially leading to a data security incident. The new domain detection group "Free public domains" will list the common domains used for personal email accounts. Admins with appropriate permissions can choose to select these domains in their indicator variants. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

October 2024 - Real-time policy tuning analysis

Policy tuning analysis provides admins with a real-time policy alert prediction based on the number of users in a tenant that could potentially match a given set of policy conditions. It helps organizations efficiently adjust the selection of indicators and thresholds of activity occurrence, so they don’t have too few or too many alerts from a policy. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default and role-based access controls and audit logs are in place to help ensure user-level privacy.

November 2024 - Enhanced alert and user investigation using Copilot for Security in Insider Risk Management

When investigating alerts within Microsoft Purview Insider Risk Management, you can now harness the power of Microsoft Copilot for Security. This tool not only provides concise alert summaries, but it also allows you to delve into specific user activities. By doing so, you can promptly assess whether the user associated with the alert warrants further investigation or if the alert can be safely dismissed. Additionally, with just a click, you can obtain a succinct summary of the user’s risk profile, highlighting crucial details and top risk factors. Leveraging Copilot for Security streamlines investigations, ultimately reducing the triage workload and enabling faster decision making.

November 2024 - Insider Risk Management-Insider risk context in Microsoft Defender user entity page

With this update, any SOC analyst with the required customer-determined permissions can access an insider risk summary of user activities that may lead to potential data security incidents, as a part of the user entity investigation experience in Microsoft Defender. This feature can help SOC analysts gain insider risk context for a specific user and make more informed decisions on responses to potential incidents. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

December 2024 - Microsoft Information Protection and Insider Risk Management support multicloud environments

Microsoft Purview Information Protection extends its sensitivity labels and protection policies into data contained in Azure SQL, Azure Data Lake Storage, and Amazon S3. Organizations can create label-based protection policies that specify which data sources, databases, or storage buckets are in scope, and which users or groups are allowed to access data with a certain sensitivity label and Purview will automatically enforce the policy and block unauthorized access to sensitive data. Insider Risk Management extends its detection into multicloud environments by offering ready-to-use risk indicators in Azure, AWS, and SaaS apps including Box, Dropbox, and Google Drive. Organizations can use these new indicators in data theft and data leaks policies. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Note: We have updated the cloud environments to reflect the current state. We apologize for any inconvenience this may cause.

November 2024 - Risky AI usage (Preview)

With this update, Insider risk management will help admins identify risky AI usage. We are adding new detections of intentional and unintentional insider risk activity on generative AI apps that can pose a risk to an organization. Activities will include risky prompts containing sensitive info or risky intent and sensitive responses containing sensitive info or is generated from sensitive files or sites. Coverage will span across Microsoft Copilots and 3P generative AI apps. These detections will also contribute to Adaptive Protection insider risk levels. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

December 2024 - Granular trigger throttling

With this update, we are introducing more granular trigger throttling limits to isolate the impact of a surge in noisy trigger volumes and prevent other policies from being affected. This ensures that organizations can receive critical alerts without being throttled by these limits. By default, the throttling limits will be applied as follows: All sensitive triggers, including HR signals, Azure AD leavers, and custom triggers, will be limited to 15,000 per day per trigger. All other triggers will be limited to 5,000 per day per trigger. Additionally, the policy health warning messages will be enhanced to assist admins with appropriate permissions in identifying and addressing noisy triggers effectively. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

February 2025 - Policy tuning analysis for priority content-only policies

Policy tuning analysis provides admins with a real-time prediction of the number of users in a tenant that could potentially match a given set of policy conditions. With this update, policy tuning analysis will support insider risk policies that are scoped for priority content. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default and role-based access controls and audit logs are in place to help ensure user-level privacy.