The interrupted work environment, in which endeavours were forced to find new ways to enable their workforce to work remotely, varied the landscape for operations as well as security. One of the top areas of concern is effectively managing insider perils, a complex undertake even before the pandemic, and even more so in the new remote or hybrid work environment.

Because its scope goes beyond security, insider risk management necessitates diverse perspectives and thus inherently necessitates collaboration among key stakeholders in “the organizations activities”. At Microsoft, our insider risk management strategy was built on insights from legal, privacy, and HR teams, as well as security experts and data scientists, who utilize AI and machine learning to sift through massive amounts of signals to identify possible insider risks.

It was also necessary for us to widen this collaboration beyond Microsoft. For example, for the past few years, Microsoft has partnered with Carnegie Mellon University to bring in their expertise and experience in insider perils and provide insights about the nature of the broader landscape.( Read: Using Endpoint Signals for Insider Threat Detection[ PDF ] .)

Our partnership with Carnegie Mellon University has helped shape our mindset and affected our Insider Risk Management product, a Microsoft 365 solution that enables organizations to leverage machine learning to detect, investigate, and act on malicious and unintentional activities. Partnering with organizations like Carnegie Mellon University allows us to bring their rich the investigations and insights to our products and services, so patrons has totally is conducive to our width of signals.

This research partnership with Carnegie Mellon University experimentations with innovative ways to identify indicators of insider risk. The output of these experiments become inputs to our research-informed product roadmap. For example, our data scientists and researchers have been looking into using threat data from Microsoft 365 Defender to gain insights that can be used for managing insider dangers. Today, we’d like to share our progress on this research in the form of Microsoft 365 Defender advanced hunting queries , now available in a GitHub repo 😛 TAGEND

Detection Exfiltration to Competitor Organization : This query helps enterprises see instances of a malicious insider creating a file archive and then emailing that archive to an external “competitor” organisation. Effective query utilize requires prior knowledge of email addresses that may pose a risk to the organization if data is sent to those address. Detecting exfiltration after termination: This query explores instances in which a terminated individual( i.e ., one who has an impending termination date, but has not left the company) downloads many files from a non-domain network address. Detecting steganography exfiltration: This query sees instances of malicious customers who attempt to create steganographic images and then immediately browse to a webmail URL. It requires additional investigation to determine indication of a malicious event through the co-occurrence of a) producing a steganographic image; and b) browsing to a webmail URL

As these queries demonstrate, industry partnerships allow us to enrich our own intelligence with other organizations’ depth of knowledge, helping us address some of the bigger challenges of insider perils through the product, while bringing scientifically proven solutions to our clients more quickly through this open-source library.

Microsoft will continue investing in partnerships like Carnegie Mellon University to learn from experts and deliver best-in-class intelligence to our patrons. Follow our insider risk podcast and join us in our Insider Risk Management journey!

The post Collaborative innovation on display in Microsoft’s insider risk management strategy appeared first on Microsoft Security .

Read more: