In my previous blog I started laying out the case for why I think it’s time to start paying more attention to insider risk.
I’ll start shifting the focus from the ‘why’ to the ‘how’ – it’s time to discuss tools and methods. To be precise, I’ll start looking at Microsoft’s Purview Insider Risk Management as a solid toolkit for helping run an enterprise-grade insider risk and people security program.
This time, we’ll discuss three key concepts – indicators, sequences and priority content.
Individual interesting activities
Both “traditional” cybersecurity efforts and insider risk efforts rely on something called indicators, although they have slightly different implications in the two overlapping practices.
In the threat hunting world, the term Indicator of Compromise (IoC) often comes up, so let’s start defining what and IoC essentially is:
An Indicator of Compromise (IoC) is a clue that something fishy is going on in your network. It could be a suspicious file, a weird URL, or an unusual user behavior. IoCs help you detect and respond to cyberattacks before they cause too much damage.
Yeah, that about sums it up.. thanks Bing! π
However, in the Insider Risk space, we treat individuals as innocent until proven guilty – and whenever possible, let people remain anonymous, as well.
This shift in goals and tactics gives indicators a new, different meaning.
An Insider Risk indicator is a clue that something unusual or potentially risky is happening within an organization.
So, unlike indicators of compromise (IoCs), which are signs of external attacks, indicators of insider risk are often more subtle and behavioral, such as changes in work habits or anomalous data handling practices.
To demonstrate this, let’s take side-by-side look at a couple of typical indicators
| Cybersecurity indicators (IoCs) | Insider Risk indicators |
|---|---|
| File hashes | Copying sensitive files to USB |
| IP addresses | Downgrading file sensitivity to remove encryption |
| Domain names | Anomalous # of sensitive document downloads compared to person’s typical baseline |
| URLs | Unusual badge access attempt to sensitive physical space |
| Registry keys | Uploading files to unapproved cloud service |
I like to characterize Insider Risk indicators as individual interesting activities.
In Insider Risk Management, the list of available indicators is already quite extensive and seems to constantly keep growing with new ones as more and more other solutions are integrated into it.
I can pick & choose which indicators I want the solution to look at, allowing me to exclude some that might not mesh well with local laws and regulations depending on the country.
For example, countries with strong messaging privacy laws will probably want to consider turning off indicators dealing with content in Teams messages and email.
Context matters – a lot.
The thing is though – individual indicators without context and supporting evidence still aren’t very strong insider risk indicators at all.
For example, is downgrading a sensitivity label and indicator of risky behavior in itself? Not necessarily – in fact, doing so is even part of many established processes, like for stock exchange releases which start out their lifecycle as highly confidential and ultimately end up as public information.
In a nutshell, no Insider Risk indicator is an automatic strong sign of malicious intent by itself. Often we might act in risky ways because we lacked proper training or maybe work in an environment that encourages negligence due to a lock of a workplace culture that positively reinforces secure working practices.
On the other hand, consider this scenario:
- You know that an individual has been terminated and is on their last month of employment.
- One day, they anomalously download tens of sensitive documents from their OneDrive to their workstation.
- Then, they remove the sensitivity label from each document, decrypting them.
- They rename most of the documents and send the documents to their personal email account.
- Finally, they delete the copies of the documents from their workstation.
This is something called a sequence – a temporally and logically connected series of activities with a clear, overarching goal.
Spotting and parsing together sequences manually is usually prohibitively demanding and time-consuming. Even attempting to do so would require people to trawl through tons of benign activity logs, presenting clear privacy and impartiality risks.
I consider the ability to efficiently detect, construct and analyze these sequences without removing strong privacy protections the cornerstone of a functional insider risk management approach.
In Microsoft Purview Insider Risk Management, AI handles sequence detection using the array of indicators you choose. You have fine-grained control over which sequences will be searched for after a policy is triggered.
You can also trigger an Insider Risk Management policy from the sequence itself, which is something I would actually favor for certain scenarios to help cut down on false positives and reduce alert fatigue.
Not all content is born equal
Apart from having AI-driven tooling, I consider a mature sensitivity labeling approach to be an another foundational building block that unlocks the ability to effectively start managing insider risk.
This is because a sensitivity label is essentially a risk assessment of the file, email, group, site or dataset etc. it is applied to. High confidentiality equals high risk. Whether that risk assessment is made by automation or manually by individuals is secondary, as long as it is correct in relation to the information itself. That means as little under- or overclassification as possible.
The goal is for each file to have a label as closely corresponding to the risk of its contents as possible and thus, a correct assessment of risk.
Sensitivity labeling matters because we want to let Insider Risk Management’s AI engine prioritize high-risk content and give sequences involving such content a heavier weight when investigating activities.
So, business information typically coalesces into files of various types, which in turn get sensitivity labels according to their content.
Those sensitivity labels then help AI to refine the scoring of Insider Risk alerts so that high severity alerts typically end up involving high priority content.
All of this aims at delivering as few false positives as possible, meaning less alerts that are ultimately nothingburgers.
As of 3/2023, aside from sensitivity labeled files, other types of content you can prioritize are..
- Specific SharePoint sites (like high-value document repositories)
- Sensitive information types – including Document Fingerprints and Exact Data Match SITs by the way!
- File extensions
- Content matching pre-trained or custom Machine Learning classifiers called Trainable Classifiers
When triaging alerts in Insider Risk Management, sequences involving priority content are clearly highlighted in several contexts.
This means being able to flag the most important assets isn’t just critical for AI, but also for you yourself as an insider risk analyst.
If you want to, you can even create IRM policies that only create alerts when flagged priority content is involved, helping keep your analysis efforts focused.
Wrapping up – and something to think about..
We’ve now spent some time discussing Insider Risk indicators and how they differ from traditional cybersecurity IoCs. We’ve also highlighted the key role of sequences and how you really want an AI buddy to help you identify them. Finally, we touched on priority content and why insider risk builds on mature sensitivity labeling as a key building block.
There are other topics to discuss in the future, such as:
- π Where do all these indicators come from in the first place? Turns out you need all kinds of things in place to get the best ones – things like Defender for Endpoint & Endpoint DLP, Defender for Cloud Apps and a connection to your HR system come to mind, among others.
- π¨βπΌ What kinds of roles are involved in an Insider Risk Program? Insider Risk isn’t one of those things you can just give to one guy or gal and tell them to handle it. You need proper role hygiene and auditing coupled with a robust least privilege approach.
- β€οΈβπ©Ή How do we triage alerts? Determining whether to escalate one or more alerts into a full case isn’t always simple.
- How does Insider Risk scoring feed into other controls like Data Loss Prevention policies? Once we can assign a well-founded and contextually updated risk score to individuals, we should probably try to leverage it to harden existing security measures only when necessary instead of going for the “closed fist” or “block everything” approach of the old days.
- π€ What about People Security and culture? I’ve mentioned the criticality of nurturing a security-positive workplace culture a couple of times now. Security always comes down to people in the end and so people is who we must ultimately focus on if we want to solve this puzzle.
Well, enough jabbering for today.. the story goes on! I’ll leave you with two questions to ponder.
π Which department in your organization poses the highest level of insider risk?
π Which business function should be responsible for your Insider Risk program?
If you want to, you can see what 300 security & compliance professionals thought in Microsoft’s late 2022 whitepaper Building a Holistic Insider Risk Management Program – it’s on page 15. π Something to think about.
See you next time! βοΈ
Seppala365.cloud 
4 responses to “Understanding Insider Risk Management: The sequence game”
[…] Understanding Insider Risk Management: The sequence game β Seppala365.cloud […]
LikeLike
[…] been configured, alerts are triggered according to pre-defined rules, then indicator activities and sequences are picked up and scored based on defined criteria. As a consequence, a risk level is determined […]
LikeLike
[…] There are certain indicators that can trigger very regularly in the course of normal business operations, potentially either contributing to unwanted false positive alerts or forcing you to tune their respective indicator thresholds to a point where they lose their value unless detected as part of a sequence. […]
LikeLike
[…] your tenant-level “Past activity detection” value of 0-90d) and scores user activity (indicators and sequences) according to a multitude of factors, including per-indicator activity […]
LikeLike