How to Combat Insider Threats

Pierluigi Paganini April 13, 2023

Knowing that insider threats are a risk is one thing. Knowing how to fight them off is entirely another.

Dealing with issues of insider cyber risk can be different and nuanced. It’s hard to admit that someone from within the company could ‘not be who they say they are’, and it takes a group effort to get these types of programs off the ground.

However, over one-third of businesses are impacted by insider threats every year, and US businesses face about 2.500 internal security breaches in the aggregate per day. These cases are out there. No company with any zero-trust initiatives can responsibly look the other way.

The question isn’t why to build out an insider threat prevention program: it’s how.

The origin and impact of insider risk

To understand best how to combat them, it helps to know where insider threats originate and why.

As cited in TechJury, more than two out of three insider threats are caused by negligence. Fraud, financial gain, and intellectual property theft are the primary motivators, and ‘trusted business partners’ typically account for 15-25% of the cases across all industries. Nine in ten result from human error.

What starts as a careless, disgruntled, or simply ignorant employee maneuver can result in credential theft, data loss, and unforeseen damage. These aren’t insignificant encounters: Credential theft can cost upwards of $850,000 per incident, and companies are now spending 60% more than they did three years ago combatting the effects of insider risk. In most cases (85%), companies can’t even definitively determine the cost of the overall damage caused by these types of incidents.

Fortunately, some great products are out there to help organizations get a handle on the insider threat problem and make inroads into securing their digital enterprise from the inside out.

The top insider threat software products of 2023

Data Detection and Response (DDR) company Cyberhaven offers valuable insights into some of the top security tools designed with inside threats in mind. For a quick rundown, they are:

  • Aware | This helps monitor messaging apps like Slack and Microsoft Teams
  • Exabeam | A mature vendor that leverages SIEM and XDR to spot internal anomalies
  • Gurucul | Baselines user behavior using AI-based tools and leverages social media data
  • IBM QRadar | Analyzes logs and network traffic patterns and triggers automated alerts
  • LogRhythm | Leverages UEBA and machine learning to detect signs of insider compromise
  • Secuonix | Uses SIEM, UEBA and SOAR to spot internal anomalies

Finding the right solution to integrate with your existing stack is paramount to implementing an internal threat-resistant solution that will last. It also helps to define your insider-specific security strategy before you invest, so you’ll understand which tool (or tools) you’ll need. This all comes down to how you approach the development of your insider threat program.

Developing your insider threat program

When building out your insider threat approach, there are two methodologies, and both must be attended to.

One is dealing with the aftermath. This is the SOC-side action, tracking down threats once your tools give you fair warning. While this is imperative, it does leave gaps when alerts are too high and teams are too busy. Sometimes, things fall through the cracks.

Another method, and one that should be used in tandem, is prevention. This means vetting alerts before they get to the SOC so that the analysts know they’re valuable and worth looking into when they get there. To do this, high-quality alerts need to be generated. This requires a multi-point approach and combines user info with data info. Keeping an eye on your inside data – not just your inside workforce – is key to validating alerts. Did an errant employee gain unauthorized access to last year’s financial data or HR’s virtual Spirit Week flyer? The details matter, and finding tools that can give you multi-faceted data improve the quality of your alerts and your program overall. 

All hands on deck

Combatting insider threats comes down to more than just fancy tools and well-thought-out strategies, although those are integral parts. A key component of creating a culture that vets and rejects risky internal behavior is having everyone involved – because everyone is an insider.

Those with access to more data are more dangerous, technically speaking. Most organizations would agree: 55% identified privileged users as their greatest insider threat risk. While no particular subset should be watched more than others (per se), there are specific things each department can do as part of ongoing efforts.

  • Executive leadership | The C-suite and other primary decision-makers are responsible for attaining a top-down view of the problem; this is where your tools and data analytics come into play. They can only strategize a solution with an accurate assessment of the problem.
  • HR teams | Interestingly, HR teams play a vital role in what otherwise seems like a technical domain. Because they liaise between the board and employees, they are key for promoting (requiring?) security initiatives and act as gatekeepers in some of the moments most vulnerable to inside attack: onboarding and offboarding.
  • Legal teams | These teams need to understand what’s at stake if compliance obligations aren’t met and how to stay on the right side of regulatory requirements. It can be a landmine, and ignorance is no excuse. Employees can unwittingly bring in illegal data from their previous company, and insider threats must be reported in a certain way.
  • Security and IT | While this is an obvious no-brainer, SOCs should remember to work alongside the above parties, not independently of them. Mitigating internal cybersecurity risks may seem like a ‘security-only job’, but as is evident, it takes a village. Working in siloes or being guarded about the data won’t help anybody, and all parties benefit when internal strategies are aligned – from board-level buy-in to the tools you use.

Over half (55%) of companies use tools and activities to reduce insider threat, roughly the same number (54%) use DLP software, slightly less (50%) use UBA software, and 47% use employee monitoring and surveillance (participants could select more than one answer).

Whatever system you use, the key thing to remember is that your strategy supports user activity monitoring with an equal amount of data monitoring, so any remediation time is spent chasing real threats, not ignoring ‘too many’ alerts.

About the author: Katrina Thompson

An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.  

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Insider Threats)



you might also like

leave a comment