The term "insider threat" conjures images of disgruntled employees walking out the door with USB drives. But the real risk is far more nuanced — and far harder to detect. In the majority of cases Kryphos has investigated, the data exfiltration began weeks or months before any official notice was given. By the time HR received a resignation letter, the damage was already done.
This article presents a behavioral analytics framework built from over 200 insider threat investigations. It focuses specifically on the pre-exfiltration window — the period where intervention is still possible.
Why Perimeter Security Fails Against Insiders
Traditional security architecture is built around a fundamental assumption: the threat is external. Firewalls, IDS/IPS systems, and email gateways all share this bias. An insider — by definition — has already cleared the perimeter. They have valid credentials, legitimate access rights, and behavioral patterns that closely mimic normal usage.
This is why perimeter-focused security teams often have near-zero visibility into insider activity until after an incident is reported. The tools they rely on were never designed for this threat model.
"The insider's greatest advantage is that every one of their malicious actions looks, at first glance, exactly like legitimate work."
Sarah Okonkwo, Head of Threat Intelligence, KryphosThe Pre-Resignation Window: 60 to 90 Days of Elevated Risk
In our analysis of 200+ cases, a consistent behavioral pattern emerges roughly 60 to 90 days before a malicious insider resigns or is terminated. This window is not arbitrary — it reflects the time employees typically spend planning their departure, negotiating with competitors, and quietly collecting the intellectual property they intend to take with them.
During this window, behavioral signals appear across three categories:
Access Pattern Anomalies
- Sudden access to repositories, folders, or systems outside normal job scope
- Bulk downloads of documents, source code, or customer records during off-hours
- Repeated access to the same sensitive files across multiple sessions
- First-ever access to legacy archives or long-dormant systems
Communication and Collaboration Signals
- Decreased participation in internal collaboration tools (Slack, Teams)
- Surge in emails to personal addresses, especially with large attachments
- LinkedIn profile updates: new skills listed, profile set to "Open to Work"
- Increased contact with known competitors or recruiter domains
Device and Endpoint Behavior
- Use of personal cloud storage (Dropbox, Google Drive) from corporate devices
- Connection of USB devices not previously used in the environment
- Screenshots or screen recording activity on sensitive systems
- VPN usage patterns that don't align with stated location
Key Insight
No single signal above is conclusive. The power of behavioral analytics lies in correlating multiple weak signals across time — what we call the "convergence threshold." When five or more signals appear within a 30-day window, the probability of malicious intent rises above 80% in our dataset.
Building a Behavioral Analytics Framework
A behavioral analytics framework for insider threat detection has four functional layers. Each layer is necessary; none is sufficient on its own.
Layer 1 — Baseline Establishment
Before you can detect anomalous behavior, you must know what normal looks like for each employee, team, and role. This requires at minimum 90 days of passive observation to build individual behavioral baselines. Machine learning models that compare against departmental averages alone will miss role-specific patterns that are entirely legitimate.
Layer 2 — Multi-Source Signal Collection
Signals must be collected from endpoints, identity systems, email, collaboration tools, data loss prevention platforms, and if available, physical access systems. Point solutions that only monitor one vector will be blind to cross-channel evasion — a technique sophisticated insiders increasingly employ.
Layer 3 — Risk Scoring and Convergence Detection
Each signal event is assigned a weighted risk score based on its historical predictive value in your environment. Risk scores decay over time for events that are not reinforced, and surge when multiple high-weight signals converge within a defined window. Alerts are triggered at convergence thresholds, not individual event thresholds — this dramatically reduces false positives.
Layer 4 — Contextual Investigation Workflow
Automated alerts must feed into a structured investigation workflow. Every alert should surface contextual enrichment automatically: the employee's recent HR events, their role tenure, any open IT tickets, recent performance reviews (where legally accessible), and peer group comparison data. This context separates false positives from genuine risk in under 10 minutes for a trained analyst.
Implementation Without Destroying Culture
The most common failure mode we see isn't technical — it's cultural. Organizations that deploy insider threat programs without a transparent policy framework create an environment of surveillance paranoia that damages the trust they're trying to protect.
A legally sound and culturally sustainable implementation follows three principles:
- Transparency over secrecy. Employees should know that activity on corporate systems is monitored. Most organizations already state this in their acceptable use policies — the monitoring framework simply operationalizes it.
- Minimum necessary data. Collect only the signals that have demonstrable predictive value. Content monitoring (reading emails, capturing keystrokes) is high-risk legally and rarely necessary for effective detection.
- Human review at every decision point. No automated system should take action against an employee without analyst review. False positives in this domain have severe consequences — for individuals and for the organization.
Starting With What You Have
You don't need to replace your entire security stack to begin building an insider threat capability. Most enterprises already have the raw data — they simply haven't connected it. Start with identity logs, email metadata, and endpoint telemetry. Build baselines. Train analysts on what the convergence threshold looks like in practice. Run tabletop exercises on historical incidents to calibrate your scoring model.
The goal is not zero insider incidents — it's early detection. The difference between a minor data loss event and a catastrophic breach is almost always measured in days. Close the pre-resignation window, and you close the gap.