A high-risk threat from within: defending against insider threats

06 February 2025

Matt Rider, VP Solutions Engineering, UKIE, Exabeam

Matt Rider, VP Solutions Engineering, UKIE, Exabeam

Insider threats are some of the greatest cybersecurity risks. Unlike other types of security threats, insider threats are complicated because attacks typically involve valid credential use and only a few are caused deliberately.

An insider’s access to an organisation’s most valuable assets makes these attacks harder to identify and remediate.

The impacts of insider threats are far-reaching and have the potential to cause irrevocable damage to an organisation’s reputation. On a financial level alone, the Ponemon Institute found that insider threats cost companies an average of $701.5k per incident in 2023. Beyond these financial losses, organisations that fall victim to insider attacks also face severe reputational and regulatory repercussions.

To overcome this challenge, organisations need to take a smarter, more proactive security approach. Deploying user and entity behaviour analytics (UEBA) provides increased visibility into user access and activities to catch insiders before they exfiltrate critical data or disrupt operations.

Understanding internal risks

Insider threats can originate with authorised users, such as employees, contractors, and business partners, who intentionally or accidentally misuse their legitimate access, or have their accounts hijacked by cybercriminals.

The amount of sensitive data at risk from an insider threat is massive. Common targets for insider threats are financial reporting data, customer data, product or technical documents, and employee data.

There are several types of insider threats that organisations need to be aware of:

  1. Malicious insiders. Typically, malicious insiders are employees or contractors who act with the deliberate aim of stealing information or disrupting operations.

  2. Negligent insiders. Negligent insiders are employees who do not follow proper IT procedures.

  3. Compromised insider. The most common examples of compromised insiders are employees that have had their devices infected with malware or credentials compromised.

An AI-driven security approach

Procedures and controls are the essential first line of defence against insider threats. Many traditional security tools were designed to detect incoming attacks rather than analyse valid credential use and activity.

Augmenting your security information and event management (SIEM) platform with an advanced UEBA solution employs an intelligent approach to overcome this challenge. It uses variations of artificial intelligence (AI) and machine learning (ML), data enrichment, and data science to improve threat detection investigation and response (TDIR) of insider threats.

Leveraging UEBA enables organisations to stop insider threats before they become incidents in several ways:

  • Rule and signature-free incident detection — UEBA tools use advanced analytics to detect abnormal and risky activity, eliminating the need for predefined correlation rules or threat patterns. It delivers meaningful alerts with minimal setup and tuning, reducing false alarms. With UEBA tools, security teams can conduct in-depth investigations into suspicious activities earlier in the attack cycle to uncover hidden insider threats faster.

  • Dynamic peer groupings — UEBA not only performs behavioural baselining of individual entities but also dynamically groups similar entities, such as users from the same department or IoT devices of the same class. This allows the analysis of normal collective behaviour across the entire group and identifies individuals exhibiting risky behaviour.

  • Real-time monitoring and alerting – UEBA tools continuously analyse network activity, allowing security teams to detect insider threats as they occur. This is crucial in today’s threat landscape, where threats can proliferate and cause damage in a matter of minutes. Once a threat is detected, UEBA tools can send out alerts in real time. This enables security teams to respond swiftly and mitigate the threat before it can cause significant damage.

  • Automating investigations – A key feature of modern UEBA tools is their ability to automate and orchestrate various security tasks. Automation allows these tools to execute predefined actions automatically when certain criteria are met. For example, if the system detects multiple failed login attempts from a user within a short period, it can automatically lock the account to prevent unauthorized access.

Beyond deploying UEBA, organisations can add an extra layer of defence against insider threats by focusing on employee education.

Prioritising a proactive approach

Defending against insider threats is a complex challenge that requires a comprehensive security approach from organisations.

By harnessing UEBA, security teams gain a future-proof solution to proactively combat emerging risks and deliver effective TDIR. As cyberattacks become more sophisticated, combining the use of AI-powered tools with a culture of threat awareness becomes essential for building the strongest possible defence against insider threats.