Protecting your organisation against insider threats: best practices and real-world examples

In this article, Exabeam’s explains the threats that companies face from malicious insider activity, and maps out the best ways to mitigate these issues.

Organisations are facing a rising threat from malicious, negligent, and compromised insiders, as evidenced by the 2022 Ponemon Cost of Insider Threats Report, which shows a 44% increase in insider threat incidents over the past two years and costs per incident up more than a third to $15.38 million. In a recent webinar, Exabeam Senior Product Marketing Manager Jenelle Davis and Sales Engineer John Nowotny shared best practices for protecting organisations against insider threats and showcased real-world examples of Exabeam customers successfully fighting back.

Understanding normal vs. abnormal behaviour

The first key to fighting insider threats is to understand what normal behaviour looks like in your organisation. As Jenelle explains, “You need tools in place to help you to be able to distinguish between the normal and the abnormal. An effective security tool will allow you to baseline that normal behaviour and detect, prioritise, and respond to any abnormalities that are taking place.” Exabeam user and entity behaviour analytics (UEBA) capabilities can help organisations to detect any abnormal activities that may indicate a potential threat.

Embracing automation

Automation is another crucial tool in the fight against insider threats. John explains that “automation can help to alleviate the issues that exist within cybersecurity platforms, and allow analysts to focus on the parts of the process that can be automated.” Exabeam automation capabilities can create timelines for events, allowing analysts to quickly kickstart their investigations. As Jenelle points out, “automation doesn’t have to be an all-or-nothing proposition. With careful thought and planning, organisations can take a phased approach to automation and find the appropriate level that works for them.”

Thinking like an attacker

Finally, it’s important to think like an attacker in order to protect your organisation against insider threats. Jenelle advises, “Think about how you’re positioned in ways that might be vulnerable to attackers. How could you get access to a system if you didn’t have the proper credentials? How do you know what’s normal and not normal within this network?” By taking a proactive approach and identifying potential vulnerabilities, organisations can better protect themselves against insider threats.

Real-world examples of success

New-Scale SIEM™ from Exabeam has proven to be effective in helping organisations fight back against insider threats. In one example, an Exabeam customer was able to quickly detect and remediate an attack by the Lapsus$ gang, thanks to the notable user function in Advanced Analytics. John notes that the Exabeam “behaviour analytics engine can quickly understand what’s happening for every user and asset in your organisation and understand what’s deviated from normal. Once there’s enough aggregate risk here, we can understand what becomes a notable user, notable asset.”

In another example, a company that was previously using Splunk was able to augment their existing system with Advanced Analytics. As John explains, the Exabeam “ability to quickly bring on data and easily onboard it at an attractive price point really puts everything into one platform, singular platform to manage and have that ability with the analytics on top to continue bringing additional investment and value to the data sources they were onboarding.”


As insider threats continue to be a growing concern for organisations, it’s crucial to take a proactive approach to safeguarding your assets and sensitive information. By understanding what normal behaviour looks like within your organisation, embracing automation, and thinking like an attacker, you can better protect your organisation against insider threats. New-Scale SIEM offers features like advanced analytics and notable user functions that can help organisations quickly detect and remediate potential threats.