Blog post

Threats Inside vs Insider Threat

By Anton Chuvakin | August 09, 2016 | 7 Comments


Here is a quick one on INSIDER THREAT. Deep down, we all know that nobody cares about the insider threat. Well, not literally “nobody”; few organizations do care about their insider threats [and, yes, those who genuinely care tend to care a whole lot, granted].

Now, many say they do care (a great example), but, frankly, I don’t think they spend money on it, hence their actions scream “WE DON’T CARE!” while their words whisper “eh…we …eh…care…maybe!” Off the cuff, we may get 50 malware calls for every 1 insider threat call, based on my purely unscientific impression of available data. Meanwhile, one may argue that insider threat is mostly about process than tools and so the spend is less visible, to which I say: try building a robust, mature process without spending lots of money – or time.

On the other hand, many organizations today are starting to care about the threats that are already inside (malware, attackers who hacked in, etc). Funnily, some security vendors market “insider threat solutions” to those people – thus creating hilarity (like “sandboxing to catch insider threat” or “top exploits used by insiders”…huh?)

To reduce this confusion, maybe we can think about this like so:

  • THREATS INSIDE – drive spending on UBA / UEBA, traffic analysis (NTA), SIEM, deception, lots of other tools, etc. A BIG DEAL!
  • INSIDER THREAT – drive almost no spending (as per our research, <10% of security budget). For a small number of organizations, this is a big deal too. For most others, this is a “meh!” issue.

While we are on the topic, check out our fun research on real insider threats! Also, I will be speaking on malicious insider threat next week at Gartner Catalyst.

Blog posts related to this research:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Sriram Ramachandran says:

    “Insider Threat” already comes with an accepted definition (see

    “Threats inside” is perhaps more open to interpretation. In a general sense, it can encompass: compromised users, negligent insiders and malicious insiders. The second category resonates strongly with enterprises.

  • Bill Munroe says:

    My experiences marketing an insider threat product from my DLP days versus the UEBA product I market today completely aligns with your view Anton. The interesting question is why? We know the insider steals data often – especially the leaving employee and yet companies and even security pros seem uninterested. Is it:
    – I do not want to play “big brother”
    – It is too hard – HR, Legal, regulations
    or is it management – I trust my employees and turn a blind eye to the leaving employee problem?

  • Matt says:

    @bill, it’s all those things perhaps. I don’t think insider threats are perceived as being something you solve with products, or as having the same reputation impacts. Take a look at the 2016 Verizon DBIR. In the trends section, it’s reported that 80%+ of breaches have external threat actors. Although there are other dimensions that matter, generally it seems natural to focus on the 80%.

  • Matthew Gardiner says:

    We must have been separated at birth….Just finished a draft of my RSAC submission:

    Threats on the Inside or Insider Threats? – Techniques for Stopping Both

    Maybe Threats on the Inside are more prevalent, but Insider Threats are on average more damaging?

    • Oh wow. So happy to hear that [well, not that we got separated at birth, that is 🙂 – this sounds sad]. I am happy to hear that this is being explored that is.

      Thanks for a great comment!

  • re: more damage from insider threat — this is “a widely held belief” but I really like to see proof… and by proof I don’t mean “a pokemon told me” 🙂

  • Andre Gironda says:

    No mention of the Unintentional Insider. You are working the (after-effect) symptoms, not the root problem.