Microsoft unveils new security features for SOC teams to combat insider threats – Business

Microsoft Corp. today announced the public preview of Insider Risk Management Context in Microsoft Defender XDR and other new security features that focus on improving how security operations center teams investigate and manage insider risk.

The announcements, made during the annual RSA Conference this week in San Francisco, aim to strengthen the tools available for SOC teams, empowering them to better handle the increasing frequency and complexity of insider threats and data breaches.

First up is a new feature in Microsoft Defender XDR that provides SOC analysts with an improved view of insider risks. Insider Risk Management Context within the Microsoft Defender XDR user entity page details customer-determined permissions. It also details an insider risk summary of user exfiltration activities that could potentially lead to data security incidents as a part of the user entity investigation experience in Microsoft Defender.

With the new feature, users looking into an occurrence in Microsoft Defender’s Incidents view can dig further into an incident’s source. In an example provided by Microsoft, a multistage attack stole an employee’s credentials, followed by exfiltration activities that triggered multiple data loss prevention alerts, such as sharing payment card information externally. The activity is now highlighted as “high insider risk severity” within the Defender Incident investigation experience.

Microsoft also today announced the general availability of Copilot capability within Microsoft Purview, the company’s suite of solutions designed to manage data governance, compliance and risk across Microsoft services and platforms.

Previously announced at Microsoft Secure, the new Copilot functions allow data security and data compliance analysts to access real-time guidance, with Copilot summarization capabilities and natural language support built directly into their investigation workflows. The new features are help organizations save time, speed up investigations and uncover findings into specific incidents to investigate next and mitigate security risks, the company said.

In addition, Microsoft announced new Insider Risk Management features focused on assisting investigations and improving the experience of data security teams. Insider Risk Management now also extends data security across an entire data estate, detecting data risks in Microsoft Fabric, as well as other software-as-a-services apps such as those from DropBox Inc., GitHub, Box Inc. and infrastructure clouds such as Amazon Web Services Inc.

Microsoft is enhancing Insider Risk Management as well to provide additional email insight alerts when business-sensitive data is potentially leaked from a work email account to a free public domain or personal email account. The new feature makes the triaging experience easier by highlighting when insiders are sending an attachment to their personal email, the company said.

Finally, Microsoft announced the public preview of Adaptive Scopes, a new service that allows administrators to use adaptive scopes created within the Microsoft Purview compliance portal to scope Insider Risk Management policies and dynamically define user or group membership based on Entra ID attributes, such as location or department.

Photo: Mike Mozart/Flickr