惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyberwarzone
Cyberwarzone
V
Vulnerabilities – Threatpost
T
Tenable Blog
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
G
GRAHAM CLULEY
Know Your Adversary
Know Your Adversary
S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
Project Zero
Project Zero
C
CXSECURITY Database RSS Feed - CXSecurity.com
V
Visual Studio Blog
WordPress大学
WordPress大学
Latest news
Latest news
K
Kaspersky official blog
T
Tailwind CSS Blog
T
Threat Research - Cisco Blogs
B
Blog RSS Feed
C
Cisco Blogs
博客园 - 聂微东
Martin Fowler
Martin Fowler
T
The Blog of Author Tim Ferriss
小众软件
小众软件
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 热门话题
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
P
Proofpoint News Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Privacy International News Feed
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
CERT Recently Published Vulnerability Notes
Cisco Talos Blog
Cisco Talos Blog
S
SegmentFault 最新的问题
Security Latest
Security Latest
Y
Y Combinator Blog
爱范儿
爱范儿
aimingoo的专栏
aimingoo的专栏
P
Privacy & Cybersecurity Law Blog
L
LINUX DO - 最新话题
月光博客
月光博客
The GitHub Blog
The GitHub Blog
博客园 - 三生石上(FineUI控件)
S
Security Affairs
P
Proofpoint News Feed
D
DataBreaches.Net
有赞技术团队
有赞技术团队
云风的 BLOG
云风的 BLOG

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2026-06-06 · via Vectra AI Blog

For many security leaders, the most dangerous attacker isn’t on the outside, they’re already inside. Insider threats, whether from malicious employees or rogue admins, have already cleared the hardest hurdle in an attack: gaining access, often privileged access. That means they can operate with trusted credentials, existing permissions, and intimate knowledge of your systems and data.

This is why insider threats are often harder to detect and contain. According to IBM’s Cost of a Data Breach 2025 report, malicious insider attacks cost an average of $4.92 million and take 260 days to resolve, making them among the costliest and longest-lived incidents security leaders face.

Across active Vectra AI customer deployments, nearly 4 in 10 of the prioritized threats were insider threats within a one-month period. This isn’t rare. It’s happening now in real-world enterprise environments, and it’s happening often.

What Are the Gaps in Insider Threat Programs?

Even the most mature security programs often depend on a familiar trio of tools for insider threats risk, but each has a blind spot that attackers exploit:

  • DLP - Flags or blocks certain data transfers, but can’t tell intent. If an insider downloads sensitive files they’re allowed to access, DLP sees it as normal business activity.
  • EDR - Excellent at spotting malware and endpoint exploits, but blind to account misuse in SaaS, cloud, and identity layers where many insider incidents unfold.
  • SIEM - Aggregates logs for investigation, but doesn’t connect the dots between subtle, separate actions across different systems without heavy manual correlation.

These gaps exist because insiders operate with legitimate permissions. Their actions blend into routine workflows, bypassing prevention-focused controls. Without correlating behaviors across identities, cloud, and on prem network, the signs remain scattered and unrecognized.

The result? By the time an insider threat becomes obvious to these tools, sensitive data has already left or damage has already been done.

How Does Generative AI Increase Insider Threat Risks?

The rise of Generative AI in the workplace, particularly tools like Copilot for Microsoft 365, brings a new dimension to insider threats.

If a malicious insider or compromised account has Copilot access, they can use its unified AI search to query across Word, SharePoint, Teams, Exchange, and other Microsoft surfaces in seconds. Sensitive data that might have taken hours or days to locate manually can be discovered and staged for exfiltration almost instantly.

Why This Matters For Insider Threats:

  • Accelerated reconnaissance. Copilot removes latency from the discovery phase. An insider can surface credentials, financial data, or intellectual property at the speed of AI.
  • Living-off-the-land advantage. Attackers use existing permissions and trusted enterprise AI tools, blending seamlessly with legitimate user activity.
  • Limited native visibility. Security teams see minimal detail from Copilot audit logs, making it difficult to know what was searched for or returned.
  • Insufficient native controls. Built-in Copilot restrictions do little to stop determined insiders from probing the environment for sensitive information, and native tools do not detect when attackers compromise an identity to abuse legitimate usage of Copilot for M365.

Why Are Insider Threats So Hard to Detect?

Normal and malicious behaviors are nearly indistinguishable without context:

Normal Access Insider Threats
Admin creates email rules for mailbox management User creates email rules to forward data externally before leaving
Employee downloads files they use regularly Employee downloads files they’ve never accessed before, right before termination
Admin uses privileged account for maintenance Admin grants themselves new permissions to access sensitive IP

The challenge is compounded by motivation and opportunity. The vast majority of insider incidents are financially driven according to Verizon 2025 Data Breach Investigation Report, with rogue admins representing the highest-impact risk. In cloud-hosted environments, sensitive data can be identified and stolen in seconds, well before most security teams have time to react.

Top actors motives on privilege abuse

According to Verizon, 90% of top actors in privilege misuse breaches are internal, with 10% being partners. Financial incentive remains the number one motive.

The key is to understand how access is being used — the sequence, context, and intent behind each action — not merely that access occurred. Detecting real insider threats requires behavioral-based AI that can distinguish malicious intent from everyday anomalies.

Three Strategic Priorities to Strengthen Insider Threat Programs

1. Extend visibility to identity behaviors across all environments

Insiders operate across Active Directory, M365, SharePoint, Teams, Exchange, Entra ID, Copilot for M365, Cloud and network resources. Without correlation, each action appears benign in isolation. Full-surface identity visibility is essential.

2. Detect malicious intent earlier in the kill chain

Privilege escalation, unusual data staging, and persistence mechanisms often occur days or weeks before exfiltration. Early detection at this stage dramatically reduces impact and response costs.

3. Correlate and consolidate detections for decisive response

Security teams can’t investigate every anomaly. Behavioral monitoring distills thousands of low-level events into a handful of high-confidence cases with full context, enabling rapid and confident action.

A Real-World Case: How Vectra AI Stopped an Insider Threat

In one industrial manufacturing enterprise, an IT admin who is aware of upcoming layoffs:

  1. Gathered sensitive files from network data stores.
  2. Forwarded Exchange email to an external account.
  3. Used Copilot for M365 to discover sensitive data
  4. Downloaded SharePoint data outside normal patterns.
  5. Attempted post-termination logins to disabled accounts.

Anatomy of an attack that started with an insider threat

Traditional controls didn’t connect these actions in time. Vectra AI did — correlating each step into a single, high-confidence case, enabling swift containment and supporting legal action.

The Vectra AI Difference for Insider Threats

  • Proven risk reduction. Detects and stops insider threats earlier, minimizing financial and operational impact.
  • Behavioral-based AI Detection. Adds the behavioral layer missing from prevention-heavy programs.
  • Multi-surface visibility. Identity, cloud, Gen AI and network, in one correlated view.
  • Noise reduction at scale. 99.98% of detections filtered before reaching analysts according to Vectra AI Research.
  • Enables rapid investigation containment. From automated account lockdowns to full metadata context, to stop abuse before data leaves and to understand which files were accessed and the full scope of the attack.
  • Integrates with existing tools. Complements and strengthens DLP, EDR, and SIEM to cut insider threat risk without changing your existing workflow.

Insider threats are not just a compliance concern — they are a material business risk. Addressing them requires evolving beyond content inspection to identity-based behavioral detection.

The insider is already inside. The question is: will you see what they’re doing in time to stop them?

Take the Next Step in Insider Threat Protection

Insider threats demand more than prevention controls, they require behavioral-based AI detection that can see malicious intent in real time, across every identity and environment. Ready to strengthen your insider threat detection program? See Vectra AI Platform in action:

Read our VP of Product Mark Wojtasiak’s take on why Vectra AI stands tall in The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR)

Learn more about why Vectra AI is a leader and outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR)