Because mistakes are a larger source of actual risk than insider attacks, the solution was designed to help employees make the right choices and avoid common security lapses. To be effective, engineers knew, the solution also had to help people do their jobs rather than slow them down.<\/p>\n
\u201cFundamentally, a company\u2019s employees are usually trying to do the right thing,\u201d said Bret Arsenault, Microsoft\u2019s chief information security officer and corporate vice president. \u201cBut sometimes intention is different than outcome.\u201d<\/p>\n
A couple of years ago, the security threats keeping Arsenault awake at night weren\u2019t limited to hackers, cybercriminals or nation state attacks that Microsoft employs a small army of experts and leading-edge technologies<\/a> to thwart. He increasingly worried about the potential risks, largely unintentional but occasionally malicious, from employees who already have easy access to a company\u2019s most sensitive information.<\/p>\n For instance, that could include someone who inadvertently keeps sensitive information in a folder that\u2019s searchable to anyone in the company, making it vulnerable to theft. Or the person who just hits the wrong button and mistakenly emails a highly confidential document outside the company.<\/p>\n In a recent survey of cybersecurity professionals, 90 percent of organizations indicated that they felt vulnerable to insider risk, and two-thirds considered malicious insider attacks or accidental breaches more likely than external attacks. More than half of organizations reported that they had experienced an insider attack in the past year, according to an insider threat report from Crowd Research Partners<\/a>.<\/p>\n \u201cIn the security industry there has been a disproportionate amount of focus on external adversaries,\u201d Arsenault said. \u201cBut with thousands of employees logging into a company\u2019s systems every day, the threat of users \u2014 whether with inadvertent or malicious intent \u2014 may be a higher risk scenario. And that\u2019s when we realized we needed to expand our focus.\u201d<\/p>\n Arsenault tasked engineers from his security team and Microsoft 365 with creating a solution that leverages machine learning to intelligently detect and prevent internal security breaches<\/a>, and to eventually turn that into a solution for customers. But it had to be designed with Microsoft core principles in mind: respecting employee privacy, assuming positive intent at the outset and encouraging the free flow of information and collaboration within a company.<\/p>\n The Insider Risk Management solution combines the massive array of signals from Microsoft 365 productivity tools, Windows operating systems and Azure cloud services with machine learning algorithms that can identify anomalous and potentially risky behavior from people using those products.<\/p>\n Product engineers worked closely with internal security analysts, human resources and other experts within Microsoft \u2014 and consulted with workers\u2019 advocates in countries that share Microsoft\u2019s strong commitment to privacy \u2014 to ensure the solution struck the right balance in respecting employees\u2019 privacy and workflows.<\/p>\n \u201cWe knew that insider risk was becoming a more pervasive and expensive challenge, but also that we had to have an entirely different lens for addressing it,\u201d said Erin Miyake, Microsoft\u2019s senior program manager for insider threats, who worked with human resources, compliance and product experts to develop the new solution.<\/p>\n To start, you\u2019re looking at people who already have access to company assets as part of their jobs, so it\u2019s harder to detect, she said.<\/p>\n Then, because you\u2019re analyzing activity from people who are already in your workforce, it\u2019s essential to balance risk management with company culture, privacy, fairness and compliance needs. Those considerations simply don\u2019t come up when you\u2019re protecting a company from faceless cybercriminals in distant countries, said Talhah Mir, principal project manager in the Microsoft 365 security and compliance team.<\/p>\n \u201cEmployees absolutely should have access to the things they need for their jobs and shouldn\u2019t feel unnecessary friction,\u201d Mir said. \u201cThis is really about taking all these signals that already exist in the background and reasoning over it at scale with machine learning to find that thread in that sea of information that identifies possibly suspicious activities.\u201d<\/p>\n All initial reports of unusual behavior in the Insider Risk Management system can be anonymized at the outset \u2014 to protect reputations and prevent any bias from creeping into the process. But because data signals only get you so far, the tool also offers a collaboration platform for investigators, human resource experts or business managers to determine whether the unusual behavior might be malicious or just something outside a person\u2019s normal workflow.<\/p>\n Microsoft engineers working on the Insider Risk Management solution consulted with internal legal and human resources departments to delineate what thresholds would need to be met within Microsoft for anyone involved in an investigation to take necessary next steps.<\/p>\n \u201cThe system doesn\u2019t pass any judgment or assume ill intent,\u201d Mir said. \u201cIf there is an anomaly, you start from the place that the end user is probably just trying to get their job done, but we\u2019re still going to trust and verify.\u201d<\/p>\n The new solution uses machine learning algorithms to look for patterns of unusual and potentially risky behavior, which might be downloading hundreds of sensitive files from a SharePoint site, copying files to a USB device, disabling security software or emailing sensitive files outside of the company. It leverages Microsoft Graph and other services to look for anomalous signals across Windows, Azure and Office products such as SharePoint, OneDrive, Teams and Outlook.<\/p>\n None of those activities are inherently threatening, as employees do these things each day as part of their jobs. But the patterns become more meaningful as the system draws information from other sources, such as classification and labeling tools offered in Office 365 that can be used to flag sensitive documents and datasets.<\/p>\n That allows the algorithms to begin to distinguish between the risks posed by the employee who might be downloading uncontroversial presentations or documents \u2014 perhaps because they\u2019re about to embark on a sales trip \u2014 and the employee who\u2019s downloading highly confidential designs for a product under development.<\/p>\n The system can also indicate if downloaded files contain customer banking or credit card information, which would be a red flag for would-be identity theft. And, with the proper permissions, an analyst can see the content of downloaded files to further assess how harmful an outside leak of that information might be.<\/p>\n The Insider Risk Management solution can also plug into third-party human resources software, for instance, to bring in other pertinent data, such as whether an employee has recently resigned.<\/p>\n The algorithms factor in all of that information and assign each unusual activity a numerical \u201crisk score,\u201d which helps people tasked with managing insider risk to easily see where they need to focus additional attention.<\/p>\n That mirrors solutions such as the Azure Secure Score<\/a> and Azure Security Center<\/a>, which help Microsoft customers protect their data stored in the cloud by monitoring for, identifying and prioritizing the most serious security vulnerabilities. That could include mistakes in the way a customer configures a firewall that could allow a hacker to gain access and reflects the shared responsibility that both enterprises and cloud providers have to protect data in the cloud from all threats.<\/p>\n Microsoft\u2019s own digital risk security team initially developed the insider risk machine learning algorithms as part of its own in-house solution to better detect potential insider risks from the data that\u2019s already generated by its 150,000 employees around the world. The anomaly detection \u2014 which uses audit logs from existing tools \u2014 is part of a long line of technologies that have enabled the company to provide better security in ways that are relatively frictionless for employees, Arsenault said.<\/p>\n","protected":false},"excerpt":{"rendered":" If an employee who recently gave two weeks\u2019 notice starts downloading large numbers of files from the company network and copying them to a thumb drive, it is entirely possible that he or she has no malicious intent. The employee could be saving innocuous files related to their employment record or examples of marketing pieces […]<\/p>\n","protected":false},"author":2,"featured_media":109416,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[50,52],"class_list":["post-109415","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-news","tag-recent-news","tag-security"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/109415","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=109415"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/109415\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/109416"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=109415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=109415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=109415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Brad](\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2020\/02\/how-microsoft-365s-new-solution-uses-machine-learning-to-stop-data-leaks-and-insider-attacks.jpg\")
<\/a>![\"Talhah](\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2020\/02\/how-microsoft-365s-new-solution-uses-machine-learning-to-stop-data-leaks-and-insider-attacks-1.jpg\")
<\/a>