6 min read time

Combat Insider Threats with ArcSight Intelligence

by in Cybersecurity

Research from the 2022 Ponemon Institute Cost of Insider Threats Global Report says the time to contain the Insider Threat Incident has increased from 77 days to 85 days in a couple of years. The cost of insider threat has doubled within the last 4 years from an average annualized cost of 8.3 Mn USD to 15.38 Mn USD.

Is It Really Fierce?

Digital Transformation is non-negotiable—but so is security.

But as more users with more devices have more access to more resources than ever, we cannot ignore the reality that much of our risk originates inside the network. User negligence is still the top threat constituting nearly 56% of all insider incidents.

Insider threat stats show that 85% of organizations say that they find it difficult to determine the actual damage of an insider attack <Source: Research from Security RoundTable>

Part of the difficulty stems from the level of implicit confidence we place in people and technology. Insider threats often include some form of trust violation, whether deliberate or inadvertent impacting the loss of data or digital resources is deliberate or accidental. It all starts with changing the adage "trust, but verify" to "trust only when necessary, and then monitor, track, and check everything." It's not as elegant to say, but it's a heck of a lot more helpful.

So, how do companies go about monitoring and tracking everything?  According to Ponemon, 62% of professionals include user behavior-based tools to detect insider threats.

Administering insider threats requires overturning a lot of security strategies. It begins with the assumption that a breach has happened. But the real challenge lies in discovering any attack before it impacts the business, long before any damage may occur. Here it comes to having a solution capable of understanding User and Entity Behavior.

Initially, UBA (or User Behavioral Analytics) was intended to provide granular visibility into user behavior, within and outside the corporate network to identify potentially malicious anomalous activity and behavior. With the addition of Entities to the solution, you know have UEBA, which stated that in order to provide genuinely effective security, a variety of entities must be profiled, and their actions must be compared to those of the user.

The security team can unlock detailed information thanks to this more comprehensive methodology, enabling them to respond before a risk turns into an incident or breach.

Span of Control

When properly implemented, UEBA solutions can detect a variety of insider threats, such as: 

  • Endpoint monitoring, whether on or off the network, should not only give a comprehensive insight into devices and user activity but also track resource access and data transfer to help spot erratic or malicious behavior. 
  • Attempts at data exfiltration, including shifting data to online and cloud services or onto external storage devices such as USB drives. 
  • The identification of policy infractions in real-time, covering the complete spectrum of regulatory compliance requirements. 
  • The avoidance of account escalation, compromise, or takeover utilizing tricks like credential stuffing.

Rules-Based and Machine Learning Engines

UEBA solutions can accurately identify anomalous user and device behavior, policy violations, unauthorized data access, improper data movement and exfiltration, and compromised accounts.

While UEBA tools use unsupervised machine learning to detect unknown threats, rule-based engines cover known threats. Rule based engines simplify policy adherence and strengthen security controls by immediately detecting policy violations, identifying risky behaviors or activities that could lead to a regulatory breach, and detecting and responding to compliance violations that put IP, PII, and other critical resources at risk.

At the same time, the UEBA’s Machine-Learning engine automatically learns user behaviors across peer groups, and integrates with a rule-based system to provide layered analytics. To know more refer SecOps page.

What Can ArcSight Intelligence Do For You?

ArcSight Intelligence does this by leveraging behavioral analytics, powered by unsupervised machine learning. The ArcSight Intelligence platform empowers security teams with visibility across endpoints, servers, networks, and even terabytes of log data. ArcSight offers a complete picture of inside threats from the backend to the endpoint.

Different Types of Insider Threats

In the above infographic, typical users who can potentially be insider threats are depicted.

1: Collaborators are authorized users who work with a third party to intentionally harm the organization. The collaborator’s action would lead to the leak of confidential information or the disruption of business operations.

2: Goofs deliberately take potentially harmful actions but harbor no malicious intent. A goof may be a user who stores confidential customer information on their personal device, even though they know it’s against organizational policy.

3:  Pawn are authorized users who have been manipulated into unintentionally acting maliciously, often through social engineering techniques such as spear phishing.

4: Lone Wolf operate entirely independently and act without external manipulation or influence. They can be especially dangerous because they often have privileged system access such as database administrators.

Learn more about the types of insider threats.

Through machine learning, ArcSight Intelligence creates a holistic picture of normal behaviors. Upon spotting anomalous or high-risk activities, it connects these events to the users involved, increases their risk score (radically minimizing false-positive alerts), and presents the incident’s context in a clear, actionable, interactive interface. ArcSight Intelligence detects and surfaces insider threats while enabling security teams to work more quickly and efficiently to mitigate them.

Furthermore, ArcSight Intelligence creates risk profiles for users to identify and prevent risky behavior of knowledge workers, remote workers, and departing employees. It is also instrumental in identifying Shadow IT with entity risk profiling.

Adding UEBA to Existing Strategies

While UEBA solutions may be used as a stand-alone solution to safeguard endpoints, prevent data loss, or detect anomalous activity, they perform best when used in conjunction with a comprehensive security plan.

ArcSight Intelligence can process events from IAM, VPN, Web Proxy, Active Directory, EDR, and Repositories related to Privilege Escalation, Account Compromise and Misuse, Lateral Movement, internal recon and data staging.

ArcSight Intelligence

Integrating UEBA with SIEM systems, for example, improves the gathering, analysis, and response to internal network threats. It may also be used to strengthen the endpoint security /EDR solutions, e.g., Assist in the monitoring and control of Shadow IT, and connect fully and smoothly into a wider security fabric architecture. Further in, Intelligent Security Operations and UEBA can be used in conjunction with Threat Intelligence to have effective Attack Surface Management and counter breaches before impact.

Business Outcomes

Enterprises with critical data to safeguard, a large surface area to monitor, and limited security controls or financial resources can benefit from ArcSight Intelligence's unrivaled ability to detect risks that matter. ArcSight Intelligence behavioral analytics avoids rules and thresholds in favor of assessing a user's or entity's potential risk in a business using unsupervised machine learning models.

These powerful mathematical algorithms continually combine billions of data points from logs to decipher information about accessible entities (people, machines, IP addresses, servers, printers, and so on) in order to develop and assess their 'unique normal behavior'.


The ArcSight Intelligence can be deployed to a variety of locations, including on-premises and cloud. The CDF Infrastructure and capabilities deployed on it and offered as a stand-alone SaaS offering. Additionally, customers using CrowdStrike Falcon for their EDR solution can seamlessly integrate with ArcSight Intelligence. Simply visit our CrowdStrike store page to learn more and take advantage of a free Intelligence trial. ArcSight Intelligence is an important tool that may assist to unify the detection and response to insider threats, closing the gap on one of the most serious—and frequently overlooked—threats in your organization  

Call to Action:  

To learn more, please visit our Intelligent SecOps Hub and Insider Threat Prevention Hub.


Join our Community | What is Threat Intelligence? | What is Artificial Intelligence? | What is Machine Learning?


Security Operations