"It is said that only a fool learns from his own mistakes; a wise man from the mistakes of others." -Otto von Bismarck

While we've been routinely protecting against external attackers for years, we've also often willingly ignored the other side of the equation: the hundreds or thousands of insiders - current and former company employees and contractors - with continuous access to sensitive internal information 24/7/365.

In 2024, Gartner predicted that by 2027, as much as 70% of organizations will combine data loss prevention and insider risk management disciplines with IAM context to identify suspicious insider behavior more effectively.

It's not hard to understand why insider threat has been neglected so far:
* Investigating and mitigating against insider threat is a murky topic especially for those approaching it from the more clear-cut Blue team / Red team world of external attacker focused cybersecurity.
* Timely visibility into real insider threat isn't tied to any single alert or event. It takes a fusion of human and technical data points, put into proper context (and parsed into chronological sequences with a bit of help from AI) to enable sufficiently rapid actions. Cross-organization collaboration beyond cybersecurity and IT teams is a must.
* Organizations tend to have idealistic and even rosy views of how their trusted employees are accessing and handling business data before you can prove decision makers the risk is real with data.

In fact, for insider risk investigations, the entire paradigm is different - potential threats are assumed to be non-malicious & should remain anonymous until proven guilty. Still, technology plays a vital role in helping limit the opportunities for insider threat to actualize.

While the root causes of insider threat are ultimately non-technical, thoughtful use of available technology plays a key role in limiting the conditions in which these risks can turn into reputational or financial harm.

In this session, I'll demo and discuss topics relevant to mitigating insider risk such as:
* "Edward Snowden was a SharePoint admin" - the essentials of identity and access hygiene with Entra ID
* "The absence of a Capable Guardian" - the link between Routine Activity Theory and an effective Purview Data Loss Prevention solution
* "The signal-to-noise ratio" - the differences between types of insider threats and the preferred technical countermeasures for each
* "Connecting the dots" - the most valuable event logs to collect to allow effective detection of sequences of risky insider activity and data exfiltration with Purview Insider Risk Management

As an attendee, you will l leave this session with a clear idea on what you can start working on immediately to help lay the technical foundations to enable your insider risk program. The session is well-suited for data security responsibles and decision makers, security architects and anyone curious to learn more about insider threat - and how to start addressing it.

Informed by my own work as a data security solution architect for various organizations.