Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

8 Ways to Spot an Insider Threat

The good news is most insider threats derive from negligence, not malicious intent. The bad news is the frequency of negligence is already ahead of where it was in 2018.

9 Slides
A cartoon drawing of two hands typing on a computer laptop
(Image Source: vivali via Adobe Stock)

When the challenge of battling inside threats arises, it's tempting to dismiss the process as little more than identifying the rogue employee(s), along with reviewing and refining permissions, controls, and authorizations to prevent recurrence. Depending on the industry, some public apologies may need to be made and some regulatory fines may need to be paid.

The good news and the bad news with insider threats? The good news is most insider threats derive from negligence, not malicious intent, as Katie Burnell, global insider threat specialist at security vendor Dtex Systems, explained in a November Dark Reading webinar about the insider threat. The bad news, she said, is the frequency of negligence is already ahead of where it was in 2018.

Compounding the problem is the fact there are more networks, more devices, and, of course, more data to monitor and secure. Organizations understand they can't equally secure it all. One approach has been to prioritize the monitoring of those users with the highest privileges, perhaps aided by the use of privileged access management (PAM) tools.

Our list of insider threats identifies the "who," but what about the "how" of detection? Log files and SIEM data may offer some forensic footprints to see who accessed which servers, databases, and individual files. But the volumes of monitoring data are too great to do this for all users, security experts agree. This has opened the door to user and entity behavior analytics (UEBA), which flags anomalous behavior by user. Some security vendors are starting to push the idea of "identity as a perimeter," according to ESG analyst Doug Cahill, rather than using the more traditional physical perimeter of the network. "So you monitor who has access and whether they do anything anomalous," Cahill explains.

Vendors are also talking about adding artificial intelligence and machine learning to the security equation. While those implementations remain rather basic, you don't need an algorithm to see this is where security managment is headed. Detecting and stopping malicious insiders will need this extra oomph, which automates tasks otherwise left to humans.

Do you have any experience with the kinds of malicious insiders tagged here?

About the Author

Terry Sweeney, Contributing Editor

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, Network World, InformationWeek and Mobile Sports Report.

In addition to information security, Sweeney has written extensively about cloud computing, wireless technologies, storage networking, and analytics. After watching successive waves of technological advancement, he still prefers to chronicle the actual application of these breakthroughs by businesses and public sector organizations.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights