Model Behaviour

Network Computing | Saryu Nayyar, CEO of Gurucul

The insider threat does not have a single recognisable threat profile. Saryu Nayyar, CEO of Gurucul thinks that a different approach is required to combat this growing risk

The continuing rise of insider threat behaviour reminds organisations of the importance of taking control of their IT infrastructure. The 2019 Verizon Data Breach Report found that 34 per cent of breaches involve internal actors: this makes it one of the most prevalent issues that organisations are now facing. Cybercriminals are becoming smarter and more agile and it is down to organisations to fulfill their obligations to protect the information that they hold.


The reality of insider threat behaviour is that it doesn’t always have to be malicious, coming from a disgruntled employee looking to steal company information from right under the noses of the executives. User errors are a common example of the insider threat and can occur when someone accidentally clicks a phishing link and compromises an account, or when an unattended laptop subsequently leads to data theft.

Of course, there remains the typical malicious insider. These users may have been bribed, have pressure put on their families, or simply realise they can monetise internal data or intellectual property for their own gain.


Insider threat encompasses a wide range of complex behaviours and motives, all of which are so diverse that the only effective way to detect them is through the use of artificial intelligence and machine learning. Conventional cybersecurity tools offer very little when it comes to defending against insider threats. Thankfully, however, solutions exist that allow organisations to gain a holistic view of their cybersecurity landscape and stay ahead of the game when it comes to insider threats and the dangers they pose.

Unfortunately, security information and event management (SIEM), data loss prevention (DLP) and other rules-based security products can only detect known threats. Insider attacks are unknown threats. While external attackers must first penetrate the network before finding the information they seek (while remaining undetected), malicious insiders may already understand where the valuable data is and how to access it.

Through the use of User and Entity Behaviour Analytics (UEBA) and machine learning algorithms, employers can track and analyse employee behaviour to identify anomalous and suspicious activities. These activities could range from an accountant who downloads a confidential file they’ve never looked at before, to a salesperson who suddenly starts emailing large volumes of customer data to their personal account. By utilising machine learning, organisations are able to compare current user behaviour to baseline standard behaviour. Using that as a starting point, it becomes easy to identify suspicious trends, spot outliers and remediate threats.


A UEBA solution provides models with predictive intent, to identify malicious insider activities. It can detect activities such as brute-force attacks, suspicious password resets, account sharing or even logins from an unusual device or location. For malicious insiders, it can detect unusual behaviour such as file crawling, where an insider tries to access multiple resources to gain access to data.

In the ongoing battle against ever more advanced cyberattacks, defenders must innovate to remain one step ahead of the newest threats. Being able to spot high-risk users with abnormal behaviours through machine learning is a force multiplier. Humans simply cannot effectively sift through the vast volumes of data that a UEBA solution can.

The adoption of behaviour analytics can help to address another major challenge in detecting insider threats, namely digital transformation initiatives that involve hybrid (on-premise and cloud) environments. Since attackers will use any means necessary to compromise an account in order to break into an organisation, companies must be able to observe every layer of their security protocols: they are remiss if they don’t take insider threats into account when looking at their overall security infrastructure.

External Link: Model Behaviour


Share this page:

Related Posts