What happens when an employee leaves your organization?
They may have followed the rules and submitted their two weeks notice. Then comes a two-week period in which they still have access to your systems. In that period, these employees have likely talked to competitors that would love to get their hands on your intellectual property.
This was the topic of Insider Threats and Insider Risk Management, a Q&A session with Raman Kalyan, Director of Product Marketing at Microsoft, and Erin Miyake, Senior Program Manager, at Microsoft Ignite 2021.
Insider Threats Are Challenging to Track
The employees may have heard over the grapevine that there is detection in place for people trying to steal documents. However, they know they want the documents and are willing to risk detection.
They might take sensitive files from SharePoint or a file share. They rename them to something innocuous like “Softball schedule” and then proceed to exfiltrate the files. However, they consider themselves clever (you sly dog), so they email one per day and print another. Upon completion, they delete the files from their computer so no one will be able to trace what they did, or so they think.
These types of insider threats are intentional, methodical, and hard to detect. The employee is strategically picking the files they want to download and exfiltrate. They vary the channels using Dropbox, AWS, email, and printing. They believe each instance is not concerning, and admins won’t detect the pattern. They take a strategy where they leak the information slowly. Traditionally, this type of slow process would be hard to detect.
How to Prevent Risky Behavior in Office 365
You need to gain visibility into independent related activities and then sequence the activities on a set of files to get insight into the user’s intent. You also need a way to address these insider threats promptly (preferably before they leave).
One way to do this is to create a new policy when someone leaves. Using the audit logs already in your tenant, you’re able to look back in time and see what was going on weeks or months before the person left.
Now, Insider Risk Management offers active directory integration with alerts from a Data Loss Prevention (DLP) policy. Traditionally, it was challenging to set up a DLP policy. But now, Microsoft has added a built-in triggering event so you can kick off the policy wizard and set up the procedure with five clicks. This will scan your environment, detect a risky exfiltration, and activate the scoring for that policy.
You can also use SysKit Point, a governance and security tool, to set up custom security alerts. You can fine-tune the alerts to show you actions of specific people, such as former employees.
Sometimes, you need visibility into things that occur outside of your tenant. For this, you have Microsoft Cloud App Security (MCAS). MCAS gives you visibility into third-party cloud signals. For example, it can track failed logins to a 3rd party web service like Amazon’s AWS. It can then track files that are taken out of SharePoint. Even if the employee changes the file’s name and then sends them to Dropbox, it can track it. It allows you to put the pieces together and then take action.
Together, MCAS and Insider Risk Management can show you the value of the correlation of multiple seemingly independent events. You can then piece together several different events and recommend action to the person who needs to make a decision.
When HR and Legal Work Together
The new HR connector allows Insider Risk Management to know the resignation and term dates for employees. HR can also share other disgruntlement indicators like performance improvement plans and poor performance indicators.
By collaborating with HR and legal, security personnel can look at insider risks from a different lens. HR can help ensure the proper security precautions do not negatively impact the morale of the company or hinder the company culture. You can also work with your legal department to ensure you follow employment law while protecting your organization’s valuable intellectual property.