Recent research reveals that insider risks are surging more each day. Over the past year, an alarming 63%[1] of data breaches were traced back to insiders, whether through inadvertent errors or malicious intent. These internal threats call for innovative solutions that can dynamically adapt to data security risks, instead of the widely available fragmented and one-size-fits-all solutions, where rigid controls can stymie legitimate business activities and lenient policies might leave the door open to data loss.
Striking the right balance between productivity and data security is critical, and that’s where the user visibility of Microsoft Purview Insider Risk Management, combined with the dynamic controls of Adaptive Protection, can help. These solutions enable organizations to tailor data protection strategies by integrating insider risk levels, determined by user activities, with different policy engines, allowing for automatic adjustments of policies as insider risk levels change.
Microsoft Purview Insider Risk Management correlates various signals, such as unusual access patterns and data exfiltration, to identify potential malicious or inadvertent insider risks, including IP theft, data leakage, and security violations. Insider Risk Management enables customers to create data handling policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
The evolution of dynamic controls with Adaptive Protection within access management
This week we’re thrilled to announce the general availability of the integration between Adaptive Protection in Microsoft Purview and Microsoft Entra Conditional Access. Organizations frequently struggle to implement effective data security and access management because they rely on fragmented and siloed solutions. These disjointed approaches hinder the consistent rollout of new security controls and can create exploitable gaps. Microsoft’s integration of Adaptive Protection and Conditional Access, however, offers a streamlined and integrated solution that seamlessly automates access controls for users based on their insider risk levels, thereby reducing the complexity of managing multiple disparate systems.
Consider a scenario where an employee at an organization is flagged as a potential insider risk; they are working on a sensitive project and they start to demonstrate risky activity detected in Insider Risk Management. With the integration of Adaptive Protection and Conditional Access, the organization can swiftly apply access policies to this employee if needed, and these policy controls can increase as the employee's activities become riskier. The policy will then automatically ramp up controls and can restrict access to critical applications and systems without manual involvement of the data security admin, thus adding a protective layer against insider risks.
In Conditional Access, admins can now combine insights on insider and sign-in risks, to protect data against both external and internal threats with a comprehensive and multi-layered security strategy against unauthorized access, data leaks, and theft. With Conditional Access now being used to tackle both external and insider threats, your data remains secure, thereby bolstering your organization’s resilience against evolving cyber threats.
Figure 1: New ‘insider risk’ condition in Conditional Access
This protection is complemented by other important capabilities offered with Adaptive Protection. In general availability since last May, the integration of Adaptive Protection Microsoft Purview Data Loss Prevention (DLP) enables enforcement of automatic data protection controls. With users moving in and out of scope of specific data loss policies based on their risk levels, organizations can streamline security measures without extensive manual oversight. Another innovative stride, currently in public preview, is Adaptive Protection's integration with Microsoft Purview Data Lifecycle Management (DLM), enabling organizations to automatically preserve emails and files.
This process can be exemplified in a scenario where an employee working on a sensitive project is flagged for insider risk levels as their activities grow riskier over time. Initially, when exfiltrating confidential data, they get a warning but are allowed to proceed. After resigning for a new job, stricter controls are enforced, including exfiltration restrictions and a terms of use agreement that they must acknowledge before accessing apps that contain sensitive information. As their risk level increases even more based on continued risky activity, they might have access and exfiltration activities outright blocked, with a policy preserving possible deleted content for audits.
By providing dynamic controls that adjust to changing insider activities and potential incidents, Microsoft is helping organizations fortify their defenses against unauthorized access, data leaks, and data theft. This comprehensive strategy not only protects sensitive data but also reinforces organizational resilience against the ever-evolving landscape of cyber threats.
To learn more about these integrations, watch our mechanics video or explore the ”Rethinking Security from the Inside Out” Report to gain insights into the insider risk landscape, the challenges organizations face with existing tools, and best practices for protecting against data breaches.
The next generation of insider risk insights
To strengthen end-to-end data security approach and provide improved visibility around sensitive data use, we’re constantly releasing new capabilities on Microsoft Purview Insider Risk Management, such as the recent addition of Copilot for Security alert summaries, the inclusion of Communication Compliance signals, and creation of indicators across Microsoft Fabric and 3rd party clouds and apps.
An important development, currently in public preview on Insider Risk Management, is the enhancement of email insights to detect data exfiltration to personal accounts. This feature now provides additional information when business-sensitive data is potentially leaked from a work email account to a free public domain email, which could lead to a data security incident. Identifying when a user sends sensitive information from a corporate account to a personal account is crucial to help protect crucial data, ensuring compliance with regulatory requirements and preventing data loss.
Another recent public preview novelty are adaptive scopes in Insider Risk Management, a capability that allows admins to use existing adaptive scopes created within the Microsoft Purview compliance portal within Insider Risk Management policies, using queries to define user groups dynamically and providing more control for admins and policy scoping. This feature provides more powerful targeting for policies, allowing different settings to be assigned to users based on attributes from Entra ID without the administrative burden of creating and maintaining groups. For example, when a policy is scoped to all users in the United States, its coverage will be automatically updated as new users get added to the United States employee list.
Stay tuned for more news and learn more about Insider Risk Management on our website.
Get started
- To get started, read more about Insider Risk Management and Adaptive Protection in our technical documentation.
- Stay up to date on our Microsoft Purview features through the Microsoft 365 Roadmap for Microsoft Purview.
- Visit your Microsoft Purview compliance portal to activate your free trial and begin using our new features. An active Microsoft 365 E3 subscription is required as a prerequisite to activate the free trial.