How Microsoft can help reduce insider risk during the Great Reshuffle

These are exciting and demanding days for organizations adapting to hybrid work realities, including a wider distributed workforce and more rapid change in employee roles. Organizations are becoming more agile as they refocus on employee onboarding and empowerment, opportunities with third-party partners, and cloud transformation. These dramatic shifts drive business resilience and upside in a world still coping with pandemic disruptions.

These workplace shifts test and break an organization’s compliance postures as executive, IT, and risk professionals take stock of resulting gaps and blind spots. Research from Carnegie Mellon University’s CyLab, with support from Microsoft, found that a majority of surveyed organizations had experienced over five malicious insider threat incidents in the last year (69 percent of respondents), and over 10 inadvertent or data misuse incidents (58 percent of respondents).1

Underscoring the stakes of the moment is the business sector’s high-profile challenge: the Great Reshuffle of employee roles and talent. Microsoft’s 2021 Work Trend Index found that 41 percent of the global workforce was considering leaving their employer due to burnout and a lack of workplace flexibility.2 The cyber risk ramifications of reshuffles like this are clear when you consider the data exposure that can occur with a mix of departing employees and new staff unfamiliar with the organization’s security and compliance policies.

The best course of action for navigating the changing data landscape isn’t overly restricting employee access or aggressively punishing small errors. Organizations need a solution that lends employees the access they need while providing IT teams tools to quickly identify risky insider activity. This balance of trust is critical when implementing an insider risk program and can create a culture of empathy that empowers employees to work safely and independently.

We’re excited to announce a few new features that can help organizations better manage their insider risks, while also facilitating a corporate culture of safety and respect.

Improving insider risk management visibility, context, and integrations

Identifying and managing security and data risks inside your organization can be challenging. Insider risk management in Microsoft 365 helps minimize internal risks by empowering security teams to detect and act on malicious and inadvertent activities in your organization. Where traditional tools and strategies may focus on preventing sensitive data from leaving your organization, insider risk management leverages machine learning to correlate signals around risky user behavior and identify which activities may result in data theft or data leakage. These insights help security teams to identify potential concerns and can help accelerate time to action.

Communication compliance in Microsoft 365 helps organizations foster safe and compliant communications across corporate communications. In the world of hybrid work, organizations seek out communication and collaboration tools to empower employees to do their best work. At the same time, they need to manage risk in communications to protect company assets, fulfill regulatory compliance obligations, and detect code of conduct violations, like harassing or threatening language, sharing of adult content, and inappropriate sharing of sensitive information. We are honored that  Gartner® has listed Microsoft as a Leader in its 2022 Magic Quadrant™ for Enterprise Information Archiving, a market “designed for archiving data sources to a centralized platform to satisfy information governance requirements.”3

Built with privacy by design, the solutions ensure that user names are pseudonymized by default, role-based access controls are built-in, and investigators must be explicitly added by an administrator.

Today, Microsoft is excited to announce new functionalities in insider risk management and communication compliance for Microsoft 365:

  • Enhancements to sequence detections.
  • Enhancements and additions to insider risk investigation capabilities.
  • Enhanced cumulative exfiltration anomaly detection capabilities.
  • Enhanced audit trail of investigator and analyst activity.
  • New classifier to detect customer complaints made about your organization’s products or services in communication compliance.

Microsoft 365 E3 customers are welcome to sign up for an Insider Risk Management Trial or the Microsoft E5 Compliance Trial through the Microsoft compliance center.

Enhancements to sequence detections

To help security and risk management teams accelerate time to action when it comes to insider risk management, it’s important to provide a rich context of risky user activity that goes beyond a transactional view.

In 2021, we introduced sequence detection to help analysts and investigators identify a series of connected activities and get a better understanding of intent. Today, we’re excited to announce enhancements to our sequence detections, including the ability to identify changes in document sensitivities, such as a document label being downgraded from Confidential to Public in an effort to evade detections. Insider risk can also detect sequences that may start on an endpoint device, providing greater visibility into the risky activity that may start on a workstation or device. We’ve also included additional exfiltration signals to broaden the coverage of sequences, including visibility for when a user uploads data to a cloud as a potential exfiltration step.

Enhancement and additions to insider risk investigation capabilities

With insider risk management, your security, data protection, or investigative teams have new tools and capabilities to better understand and investigate the risky activities happening in your environment.

This update includes an improved user experience for drilling down into sequences within the activity explorer. With these latest updates, security teams can get better insights into user activity types, including the ability to filter by activity category in the user activity view.

The improved alert triage experience in insider risk management includes a new summary user alert history timeline to provide better context, as well as an enhanced alert overview page.

New summary alert timeline in Insider Risk provides context on risky user activity.

Furthermore, insider risk management administrators can now set up email notifications for high severity alerts or for policy health recommendations.

Enhanced cumulative exfiltration anomaly detection capabilities

With cumulative exfiltration anomaly detection (CEAD) in insider risk management, organizations can leverage machine learning models to detect when a user’s exfiltration activities exceed the organizational averages. This can help to detect exfiltration activities that security teams might traditionally miss through data loss prevention (DLP) or structured policies alone. Learn more about CEAD.

Enhanced alert review experience, including the new visual for cumulative exfiltration anomaly detection.

With these latest updates, there are new visuals to represent potentially risky activity, making it easier for investigative or analyst teams to review and triage user activity against the organizational normal. CEAD will also prioritize cumulative exfiltration of sensitive documents based on prioritized SharePoint sites and built-in sensitive information types, as well as Microsoft Information Protection (MIP) label prioritization.  

Enhanced audit trail of investigator and analyst activity

When security or investigative teams are looking into organizational activity, it is crucial that investigations align with regulatory requirements and your organization’s compliance and security policies. It is also key to ensuring objectivity on the part of the investigators and analysts who are reviewing user activities.

Microsoft is announcing new audit events for insider risk management, including audit events of activities within the content explorer, activity explorer, and user timeline. These additional audit log events mean that anyone reviewing audit logs will have a better understanding of what investigators or analysts did within the insider risk management interface.

New customer complaints model in communication compliance

In highly regulated industries, such as financial services, pharmaceuticals, and food, organizations are mandated by law to track and address customer complaints made on their products or services. We are excited to announce the preview of a new customer complaint classifier that detects possible complaints filed by customers and surfaces matches for customer complaint management.

This new feature can help organizations meet regulations that mandate detection and triage of complaints, such as the Consumer Financial Protection Bureau and the Food and Drug Administrator requirements. Additionally, this feature can help organizations gain insight into how to improve their products and services.

View of customer complaints classifier during policy configuration.

Microsoft partners with other security leaders to address insider risk

In addition to our work in growing the capabilities of our insider risk management and communication compliance solutions, Microsoft is focused on reducing insider risks through partnerships and knowledge sharing. Microsoft is a Founding Research Sponsor of MITRE Engenuity’s Center for Threat-Informed Defense (Center), which launched a knowledge base to identify insider threats. See the Center’s release announcement here.

This latest resource from the Center is designed to help insider threat programs and security operation centers (SOCs) “detect, mitigate, and emulate insider actions on IT systems” and to stop those behaviors deemed risky or damaging. These resources include a Knowledge Base of Tactics, Techniques, and Procedures (TTPs) and the Design Principles and Methodology report.

As a Founding Research Sponsor, Microsoft researchers and security practitioners collaborated with other security industry partners to share TTPs and insights for what we are seeing in the insider risk space. “Microsoft’s work with the Center team and other security leaders confirms that insider risks pose a huge threat and that detection requires context beyond standard TTPs. Through this program, Microsoft’s Digital Security and Resilience and engineering teams partnered with and learned from others, and we are excited to see the collaboration in this space grow,” shared Rob McCann, Principal Data Scientist in Microsoft’s Security Research division. “This initial Knowledge Base sets the stage for industry-wide expansion and increased awareness of insider risk across the security community, and helps lay a foundation for further development and understanding of the insider risk landscape. This is an exciting step forward, and we’re grateful to have been a part of it.”

The insights and learnings from Microsoft’s participation in the Center have reaffirmed the priorities that have shaped Microsoft’s investments, both internally and in solutions available to our customers, including insider risk management.

Building an effective insider risk program

Over the past 18 months, we have seen high-profile insider risk incidents across a number of industries, ranging from data theft to corporate code of conduct violations. Recent high-profile examples have included the theft of confidential documents related to COVID-19 vaccines in the pharmaceutical industry to workplace harassment.

PwC and Microsoft advocate for an enterprise-wide approach to insider risk by leveraging key stakeholders to identify potential insider risks and tailor technical controls to address them. See how your organization can benefit from this approach by downloading the PwC and Microsoft whitepaper Building an effective insider risk management program.

Get started

These new features in insider risk management and communication compliance for Microsoft 365 have already rolled out or will start rolling out to customer tenants in the coming weeks. These solutions are also generally available across government clouds, supported in Government Community Cloud (GCC), GCC-High, and US Department of Defense (DoD) tenants.

We are happy to share that there is now an easier way for you to try Microsoft compliance solutions directly in the Microsoft 365 compliance center. By enabling the trial in the compliance center, you can quickly start using all capabilities of Microsoft Compliance, including insider risk management, communication compliance, records management, Advanced Audit, Advanced eDiscovery, MIP, DLP, and Compliance Manager.

If you are a current Microsoft 365 E3 user and interested in experiencing insider risk management, check out the Insider Risk Management Trial or the Microsoft E5 Compliance Trial to see how insider risk solutions and analytics can give you actionable insights.

Learn more about how to get started and configure policies in your tenant in the supporting documentation for insider risk management and communication compliance. Keep a lookout for updates to the documentation with information on the new features over the coming weeks.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Insider Risk Management Program Building: Summary of Insights from Practitioners, CyLab, Carnegie Mellon University. May 2021.

2The Great Reshuffle and how Microsoft Viva is helping reimagine the employee experience, Seth Patton, Microsoft 365. September 28, 2021.

3Gartner, Magic Quadrant for Enterprise Information Archiving, Michael Hoeck, Jeff Vogel, Chandra Mukhyala, Gartner. January 24, 2022.

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

READ MORE HERE