Microsoft: Identifying and managing insider threats

“Let me share a story…”

Neha Monga, Director, Product Marketing, Cyber Security and Data Governance, at Microsoft APAC, proceeded to tell PrivSec Global’s worldwide audience about a real-life story from two years ago about a group dubbed “The Sly Dog gang”

“Four employees left a company, but along with memories, they took trade secrets with them,” she said.

“They took trade secrets and mailed the details to their personal email addresses with the title “you sly dog, you”.

“There was a ringleader who downloaded proprietary information form the company and then went ahead and recruited three accomplices. The only reason they got caught was due to a mistake that they themselves made when they accidentally sent an email to the old company’s email address.

Monga said the fact that the “sly dog gang’ would’ve got away with it had it not been for this mistake is a “a very scary thought”.

But this is just the tip of the iceberg.

Monga stressed this is just one case: “There are many, many more from manufacturing to IT, to government, to telcos… organisations are facing financial and reputation loss, and in some cases even loss of customer base, all due to the risk employees, as insiders, pose,” she said.

The statistics are indeed stark. According to Microsoft’s Inside Risk Management Market Research, 93% of its customer base is concerned about the insider risks, with two-thirds (66%) “very concerned”

So how do businesses go about getting a handle on this issue, so they can go about implementing preventative measures?

One of the issues with the insider threat, is that you can’t simply beef up access security.

“There is no question of legitimate access – your employees can access the data with authorisation and thus context and leading indicators are important to consider” said Monga.

And what might these indicators be?

“It is important to understand that before the event occurs there is a path that leads to an employee becoming a risk”, said Monga.

Monga pointed to several stats from Deloitte giving a clue as to what to look out for 

More than half of people involved in insider breaches (51%) had a history of violating IT security polices, 97% had exhibited concerning behaviour, 92% had a negative work event, such as a demotion, poor performance review or a dispute with a manager, and 59% of employees who leave an organisation take data with them, said Monga.

These indicators, said Monga, are “like breadcrumbs” that can be followed to find and mitigate risks before they culminate into an event.

However the challenge is the huge volume of data stored across different devices, and according to Monga, visibility into the location and movement of sensitive data is often poor, particularly if there is poor collaboration between compliance, security, HR and legal teams.

“Traditional approaches of user behaviour analytics, user activity monitoring and data loss prevention do not look at the entirety of the issue beyond their own particular siloed frame.

“There is low visibility into content, as well as low sentiment analysis, signal correlation and no integration from a workflow perspective beyond the Security Operation Centre (SOC)”

“It is important to understand that before the event occurs there is a path that leads to an employee becoming a risk,” Neha Monga, Microsoft

Monga says any effective insider risk management strategy needs to “combine people, process and technology’, into a transparent approach that balances employees’ need for privacy with the organisation’s risk intelligence to leverage the power of machine learning.

“This suite of solutions aims at addressing these issues with an integrated, end-to-end approach that is focused on rich insight, using machine learning to identify patterns with no need for an agent” she said.

The platform has in-built privacy, automatic controls to prevent bias and “an ability to drive end-to-end investigation and proactive work that we can do in partnership with security, HR and legal teams” she said.

Monga said Microsoft Inside Risk Management incorporates data prevention loss alerts, allows sentiment analysis through communication compliance across Teams and email and the facilitation of collaboration with legal teams to perform Advanced EDiscovery.

Microsoft offers tailored templates to identify if employees are conducting datasets or data leaks happening due to unintentional causes, or if there has been a violation of security controls or HR processes. It offers five playbooks for different scenarios, including departing employee dataset playbooks, and playbooks for data leaks, security controls violations, HR policy violations and reported potential violations 

The aim is to put in place better preventative measures so that next time a group like the “Sly Dog Gang” surfaces, or lone individuals, either deliberately or accidentally leak data, companies have already spotted the warning signs and taken measures to stop the event before it has happened.