An internal security incident is one that is perpetrated by someone with levels of trust and access greater than that of an outsider. Though the majority of publicity about security breaches today seems to focus on outsider attacks, insider threats can be just as devastating to the organization as attacks from malicious outsiders and range from information leakage to sabotage. But insider attacks are often more difficult to prevent, since these perpetrators are within the company firewall and often have permission to use the information they are either stealing or damaging.

This paper explores two disparate insider threat scenarios: passing information to a competitor and detecting and managing collaborative activities in a low-tech incident. The paper then presents the features and benefits of ArcSight ESM, demonstrating that detection, investigation, response and incident management are all critical features of a strong insider threat initiative. The paper concludes by revisiting the two insider threat examples and examines how ArcSight ESM would have managed the event to prevent the loss or damage to the enterprise's confidential information.