9 ways housing associations can improve insider threat detection

Posted on 21 Oct 24Updated 21 Oct 24

Table of Contents

Insider threat detection is becoming increasingly critical for housing associations.

As staff members gain access to sensitive tenant and business data, the potential for internal misuse rises. Whether malicious or unintentional, insider threats can result in significant damage.

Read about the different types of insider threats here.

That’s why a well-structured approach to insider threat detection is essential to protecting your organisation’s data and reputation.

In this article, we’ll take you through the steps housing associations can use to detect insider threats more effectively, including the technical strategies and tools that can help improve visibility and detection.

1. Identifying high-risk users

It might be stating the obvious but certain employees pose a higher risk than others.

Staff in finance, IT, or senior roles typically have greater access to sensitive data. Insider threat detection should start with identifying and monitoring these high-risk users.

You can use tools like Microsoft Defender for Identity to track unusual behaviours.

Look for:

Unusual login patterns
Changes in data access
Unexpected file downloads

These tools make it easier to spot suspicious activity before it escalates into a full-blown incident.

How to identify high-risk users

insider threat detection

Start by mapping out roles with elevated privileges, like finance officers who have access to sensitive tenant data, or IT administrators with broad access to network resources.

Ensure you regularly audit these users’ access rights, looking out for red flags like:

Multiple failed login attempts
Unusual working hours
Downloading large files unexpectedly

Identifying high-risk users means understanding not only their access level but also their typical behavioural patterns. This allows you to flag anomalies more accurately.

2. Correlating network and identity behaviour

Insider threat detection relies on correlating data from multiple sources.

To get a full picture of an employee’s behaviour, you need to monitor both network activity and identity-based access.

Tools like Microsoft Sentinel and other Security Incident and Event Management (SIEM) tools allow you to integrate network logs with user identity data. This helps you correlate behaviours across systems.

For example, if a user’s login time and data access habits suddenly change, you can pinpoint whether this shift in behaviour might indicate an insider threat.

Using Microsoft Sentinel SIEM for correlation

Screenshot of Analytics screen in Microsoft Sentinel

In Microsoft Sentinel, you can set up rules that alert you when specific conditions are met.

If a user accesses files from an IP address outside your corporate network and the same user downloads sensitive files, you can trigger an investigation.

You can also integrate logs from on-premise and Software-as-a-Service (SaaS) services to give you a broader view of user activity.

Sentinel’s ability to combine network and identity-based data makes it a powerful tool for early detection.

3. Monitoring high-risk user behaviour

Once you’ve identified high-risk users, continuous monitoring is key.

But you don’t want to be manually reviewing logs all day. No one does. That’s where behavioural analytics tools come in.

Thankfully, Microsoft Defender for Identity can help you automate this process by monitoring patterns of activity and flagging anything that deviates from the norm.

This is especially useful for spotting actions like accessing files they don’t normally interact with or logging in from unusual locations.

Setting up alerts for high-risk users

Screenshot of the Adjust alert thresholds page in Microsoft Defender

To implement this, you can configure Defender for Identity to set baseline thresholds for activity.

For example, you can track whether a high-risk user is:

Accessing critical systems during off-hours
Or if there are sudden spikes in data transfers

Based on this analysis, you can adjust alert thresholds to reduce false positives and focus only on the most suspicious activities.

4. Implementing behaviour analytics

Behavioural analytics is essential for insider threat detection.

It helps you see beyond surface-level activity into the underlying trends that may signal a problem. Tools like Microsoft Sentinel offer detailed analytics that can track behavioural anomalies over time.

By establishing baselines for what constitutes normal activity for each user, you can detect deviations early.

For example, if an employee suddenly starts interacting with files or systems they don’t usually access, you can be alerted before any damage occurs.

How to implement behaviour analytics in Microsoft Sentinel

Screenshot showing built-in anomaly detection templates in Sentinel

To set up behaviour analytics in Sentinel, follow these key steps:

Go to the Analytics section of Sentinel and enable User and Entity Behaviour Analytics (UEBA). This feature helps track and identify abnormal user and entity behaviour, like irregular login times or unexpected file access.
In Sentinel, go to Analytics > Create Rule. Here, you can define specific rules for tracking abnormal behaviour patterns. For example, set a rule to alert you when a user who typically accesses tenant data once a week suddenly downloads large volumes of data in a single day. These rules help establish baselines for normal activity and flag deviations.
Sentinel offers several built-in anomaly detection templates. These templates can help you monitor unusual login attempts, excessive data access, or suspicious file downloads. You can customise them based on your organisation’s typical user behaviour to enhance insider threat detection.
After setting up your analytics rules and UEBA, Sentinel will continuously monitor user behaviour. Any deviations from established baselines, such as unusual login times or unexpected data downloads, will trigger alerts, allowing you to investigate and respond swiftly.
As your organisation evolves, it’s important to adjust these baselines and rules. Regularly review the alert thresholds and refine your detection criteria to minimise false positives while ensuring early detection of insider threats.

5. Correlating logs for anomaly detection

Most organisations collect vast amounts of log data, but not all of it is useful for insider threat detection.

You need to focus on correlating logs that provide valuable insights.

Microsoft Sentinel can help you detect anomalies by analysing patterns across logs, including:

Unusual file access
Login attempts
Data transfers

By combining endpoint and network data with identity behaviour, you can significantly improve your anomaly detection capabilities.

How to automate anomaly detection in Microsoft Sentinel

Screenshot of the playbook templates gallery. — Screenshot of the playbook templates gallery in Sentinel.

Automate the process by setting up automated playbooks in Sentinel that respond to anomalies.

Create a new playbook:
- In Microsoft Sentinel, navigate to Automation on the side panel.
- Click Create and select Playbook. This will take you to the Logic App designer.
Define the trigger:
- Select When an alert is triggered as your playbook’s trigger. This means the playbook will activate when a specific type of anomaly is detected, such as unauthorised data access or logins from unapproved locations.
- Connect it to your alert rules in Sentinel so it knows when to activate.
Add conditions and actions:
- Define the condition for the anomaly, such as a user accessing sensitive files from an unapproved IP or location.
- Under Actions, select actions like Disable user account or Send notification to the security team. These are available through Azure AD or other integrated services.
Test and deploy the playbook:
- Once your conditions and actions are set, test the playbook to ensure it behaves as expected.
- When a trigger condition is met, the playbook will automatically respond by taking actions, such as disabling the user’s account or isolating a compromised endpoint.

6. Automation and risk policies

To reduce manual oversight, cybersecurity automation can be a key part of your insider threat detection strategy.

Microsoft Sentinel allows you to build automated responses based on predefined risk policies.

You can create conditional access policies that restrict certain users from accessing sensitive data when they connect from non-corporate networks.

Additionally, use administrative action policies for high-risk users. This can automatically revoke access if suspicious activity is detected.

How to automate risk policies

Screenshot of creating a new automation rule in the Automation page.

To automate risk policies in Microsoft Sentinel, you’ll need to set up alerts and automated actions based on specific user behaviours that could indicate a risk.

These can include unusual login times, geographic location changes, or sudden spikes in data access. By defining risk conditions and creating automated responses, you can streamline how incidents are handled.

Define alert rules:
- In Microsoft Sentinel, go to Analytics in the side panel.
- Click Create and choose Scheduled query rule to set up an alert based on risk indicators such as:
  - Accessing resources outside normal working hours.
  - Logging in from unusual geographic locations.
  - Unusually large or frequent data transfers.
Set the query conditions:
- Use built-in Sentinel templates or custom Kusto queries to define the conditions for triggering alerts. For instance, to flag logins from different geographic regions, you might query logs for IP addresses tied to unexpected countries.
Add automated actions:
- After setting your alert conditions, you can automate responses using Playbooks (Logic Apps).
- Set actions such as:
  - Blocking user access.
  - Sending a notification to security teams.
  - Requiring multi-factor authentication (MFA) for the next login attempt.
Test and deploy:
- Before deploying the automated risk policies, test your rule to ensure it works as expected, and that legitimate activities won’t trigger false positives.

7. Classifying and monitoring sensitive data

Knowing what data is most sensitive is a critical part of insider threat detection.

Without proper data classification, it becomes harder to understand the impact of a potential breach or data exfiltration attempt.

Read how you can better detect data exfiltration in your housing association.

You can use tools like Microsoft Purview to classify your data into categories, such as:

Personal information
Financial data
Intellectual property

Once classified, you can monitor the access of this sensitive data and set up alerts if it’s being accessed by users without proper clearance.

How to classify and monitor data using Microsoft Purview

Screenshot of the menu showing the elastic data map metrics overview page.

Conduct a full data audit:
- Start by identifying all data within your organisation. Categorise it based on sensitivity levels, such as public, confidential, or highly sensitive.
- Use Microsoft Purview’s Data Map to scan and classify the data stored across on-premise, cloud, and third-party services. Purview will automatically detect sensitive information types like financial data or personal identifiable information (PII).
Label data for classification:
- With Microsoft Purview, set up sensitivity labels to classify your data. For instance:
  - “Highly Confidential” for customer data or trade secrets.
  - “Confidential” for internal reports or non-public communications.
- Labels can be applied manually or automatically based on the data’s content and type.
Create policies to monitor and track access:
- After classifying data, use Data Loss Prevention (DLP) policies in Purview to track and monitor who accesses sensitive data.
- Set up conditions that trigger alerts for:
  - Users downloading sensitive files.
  - Data transfers outside the organisation.
  - Accessing sensitive information from unusual locations.
Automate alerts for unauthorised access:
- Set up alerts and automate responses when unauthorised access is detected. For example, if a user accesses “Highly Confidential” data without the proper permissions, an alert is triggered in real time.
- Integrate Microsoft Sentinel to further enhance monitoring, automatically logging incidents and activating playbooks for rapid response, such as blocking access or sending notifications to security teams.

Read our eight effective steps for data exfiltration incident response.

8. Linking HR systems with security tools

Often, insider threats coincide with personal events like terminations, role changes, or extended absences.

Housing associations can improve their insider threat detection by integrating HR systems with their security monitoring tools.

By linking HR data with tools like Microsoft Sentinel, you can flag employees undergoing role changes or terminations as higher risk.

This integration allows you to monitor behaviour during high-risk periods more closely and reduces the chances of insider threats going undetected.

How to integrate HR systems

screenshot of data connectors gallery in microsoft sentinel — Screenshot of data connectors gallery in Microsoft Sentinel

Connect HR systems with security tools:
- Use APIs or third-party connectors to sync your HR platform with Microsoft Sentinel or Microsoft Defender for Identity.
- Common HR systems like Workday or SAP SuccessFactors can be integrated through available connectors, allowing security monitoring to access employee data, such as role changes or termination notices.
Automatically adjust user risk profiles:
- Once integrated, set up automations that adjust user risk profiles based on changes in their employment status.
- For example, if an employee’s role changes to one with greater data access, their risk profile will automatically update, triggering closer monitoring in security systems like Sentinel.
Flagging employees in transition:
- Sentinel can be configured to flag employees who are about to leave the organisation or have recently moved to a new role. This allows for enhanced monitoring of their activities, particularly during sensitive periods like offboarding.
- Alerts can be created for unusual activity, such as unauthorised file access, during these transitions, helping you detect potential insider threats early.

9. Refining your detection over time

Detecting insider threats isn’t a one-and-done task. Threat detection evolves over time, and so should your monitoring practices.

Regularly review your baselines for normal user behaviour and adjust them as needed.

For instance, as your housing association grows, you may need to fine-tune detection rules to account for new roles or systems.

Microsoft Sentinel allows you to update your alert thresholds and detection policies dynamically, ensuring you’re always one step ahead of potential insider threats.

How to refine detection strategies

Screenshot of incidents page in the Azure portal. — Screenshot of incidents page in the Azure Sentinel portal.

Refining your detection strategies is essential for staying ahead of evolving insider threats. Here’s how you can fine-tune your approach using Microsoft Sentinel:

Schedule regular audits:
- Conduct periodic audits of alert thresholds and detection rules within Sentinel. This helps ensure that your monitoring settings are aligned with the latest threat trends and organisational changes.
Deploy Sentinel’s built-in analytics:
- Use Microsoft Sentinel’s analytics to compare current user behaviour against historical baselines. Sentinel provides insights into normal patterns, allowing you to detect deviations and adjust thresholds where necessary.
Adjust sensitivity levels:
- Based on the data, refine the sensitivity of your anomaly detection system. If you’re getting too many false positives, consider lowering sensitivity. Alternatively, if suspicious activity is going unnoticed, raise your thresholds to capture more anomalies.
Learn from past incidents:
- Regularly assess past insider threat incidents. Analyse these events in Sentinel and look for common indicators that weren’t flagged initially. Adjust your monitoring rules and detection strategies to better catch similar risks in the future.

Summary of improving insider threat detection

Detecting insider threats is vital for housing associations looking to protect their data and systems.

By identifying high-risk users, correlating network and identity behaviour, and using automated tools, you can improve your insider threat detection efforts.

Classifying sensitive data and integrating HR systems can provide further protection, helping you catch potential threats early.

Continuous refinement of your detection strategy is key to keeping your organisation secure. Take these steps to stay ahead of insider threats and protect your organisation from within.

Watch our on-demand housing association cybersecurity strategy webinar

For more insights into insider threat detection and data exfiltration detection in housing associations, watch our on-demand webinar: Housing association cybersecurity strategy.

Meet the author

Matt Lovell https://cloudguard.ai

Matt, co-founder and CEO of CloudGuard, is an IT industry veteran with 30 years of senior experience. He has been recognized as a CIO100 member in 2015, 2018, 2020, and 2021, and has been a Microsoft Certified Technical Architect since 2003. Matt has held senior roles at Microsoft, Severn Trent Plc, Perot Systems, ComputaCenter, Digica, Pulsant, BCN, SmarterMed, and SoftwareONE. Since 2010, he has also been a significant investor in renewable energy.