According to a recent Microsoft survey taken in March 2024, 87% of security leaders experienced a data breach in the last 12 months. Of these data breach incidents, 37% were due to external perpetrators using lost or stolen credentials and a whopping 63% were due to insider risks – 34% of which were inadvertent, and 29% due to users with malicious intent.
Despite the predominance of insider-driven data breaches, the majority of security leaders still list external threats as their top security concern and primary focus. That’s not to say insider risk management gets zero attention – most organisations simply focus on early indicators like poor security practices and suspicious data access patterns. Meanwhile, deliberate sabotage or theft of sensitive data by disgruntled employees often flies under the radar, as does “access creep” (the potentially dangerous accumulation of access privileges by an individual over time, without proper oversight).
The control vs productivity dilemma
So, why does insider risk not get the attention it deserves? One of the biggest stumbling blocks is the fact that it requires concerted effort on two separate fronts.
The first is user education and training – closing the knowledge and awareness gaps that lead to inadvertent and potentially dangerous mistakes.
The second is actively managing user access and permissions to minimise the potential for unauthorised data exfiltration. The challenge here is that overly stringent (and static) access controls can seriously impact employee productivity, often requiring businesses to choose
between good productivity and good insider risk management.
Continuously evolving technology landscapes also require constant monitoring to ensure controls remain effective, creating a heavy burden for security teams.
The Adaptive Protection solution
Fortunately, the days of needing to apply and maintain static insider risk management controls are over. Instead, organisations using Microsoft Purview are now able to implement dynamic controls that automatically adapt to users’ specific risk profiles, applying protections where necessary without impacting unrelated workflows.
Microsoft Purview uses machine learning to dynamically identify potential malicious and/or inadvertent insider risks, including IP theft, data leakage and security violations. It then proactively applies appropriate protections and/or controls as per the organisation’s policies configured in Microsoft Purview Data Loss Prevention, Microsoft Purview Data Lifecycle Management (in preview) and Microsoft Entra Conditional Access (in preview).
Microsoft Purview’s Adaptive Protection helps mitigate insider risk through:
- Context-aware detection: Using machine-learning to analyse content and user activities in order to identify the most critical risks.
- Dynamic controls: Enforcing effective controls on high-risk users without impacting the workflows – and productivity – of others.
- Automated mitigation: Minimising the occurrence (and impact) of data security events, reducing admin and freeing up security resources to focus on other high-impact areas.
Microsoft Purview Insider Risk Levels
Adaptive protection allows administrators to set insider risk levels to evaluate the riskiness of a user’s activity based on criteria such as the number of exfiltration activities they perform, or high-severity alerts they generate.
These levels can be customized, but come predefined as follows:
- Elevated risk level: The highest risk, for users with high-severity alerts, three or more high-severity insights, or confirmed high-severity alerts.
- Moderate risk level: The medium risk, for users with medium-severity alerts or two high-severity exfiltration activities.
- Minor risk level: The lowest risk, for users with low-severity alerts or one high-severity exfiltration activity.
Risk levels are assigned to users based on the number and severity of their insights, not just their activity frequency. For instance, if a user downloads ten high-severity files from SharePoint in a day, it counts as one insight of ten activities. To reach an Elevated risk level, the user would need two additional high-severity insights.
Adaptive Protection integrations
The true power of Adaptive Protection is the way in which it brings together various Microsoft policy engines in order to protect against insider risk on every possible level, while actively minimising the impact of security controls on productivity. The fact that it can do this largely automatically, with minimal manual oversight from security administrators, will be a real gamechanger for insider threat protection moving forward.
To date, Microsoft has announced three key integrations with Adaptive Protection: Microsoft Purview Data Loss Prevention, Microsoft Purview Data Lifecyle Management, and Microsoft Entra Conditional Access.
Adaptive Protection and DLP
Finding a sweet spot for static DLP controls – where data is protected, but legitimate business activities are unimpeded – is tough.
By leveraging Adaptive Protection and users’ insider risk levels, however, DLP can dynamically apply the appropriate level of control (as configured by admins) over user activities across Exchange, Teams and endpoints. The result is scalable, intelligent and adaptable DLP that requires minimal manual supervision or policy tuning.
Example: Users with Minor or Moderate risk levels may receive policy tips on how to handle sensitive data appropriately, reinforcing their training and encouraging positive behavioural changes. Users on the Elevated risk level, on the other hand, can be subjected to much stricter controls, including being blocked from saving or sharing sensitive data at all.
Adaptive Protection and Conditional Access
Conditional Access enforces access controls for data, applications and infrastructure based on user identity, location, and device signals. It can apply measures ranging from Multi-Factor Authentication to blocking access entirely, depending on the user’s individual risk
level.
The trouble is: effective access management is often complicated by the use of multiple, fragmented and/or siloed solutions requiring the constant roll-out of new security controls.
By integrating Adaptive Protection and Conditional Access, however, organisations can leverage users’ insider risk levels to apply automatic access controls, eliminating the need for multiple security controls (and the admin headaches they create).
Example: A once-trusted employee has been flagged as an Elevated Risk due to an unusual number of high severity security alerts. Using Adaptive Protection in combination with Conditional Access, this employee can be automatically added to a policy blocking access to critical applications. This minimises the risk of data exfiltration while the potentially compromised account is investigated.
Adaptive Protection and Data Lifecycle Management
As of May 2024, Adaptive Protection also integrates with Data Lifecycle Management. This enables organisations to automatically apply retention and deletion policies to users’ files and emails based on their risk level in order to prevent accidental or malicious deletion with potentially far-reaching ramifications.
Example: An employee is under investigation and has been flagged as Elevated Risk. Using Adaptive Protection and DLM, controls can be automatically applied preserve files and/or emails deleted by the user. This prevents vital “evidence” from disappearing, and reduces the risk of things like mass deletion events if the disgruntled employee attempts to “burn down the house” on their way out.