How to Detect Insider Threats: 10 Behavioural Red Flags Indian CISOs Watch

Insider threats are rarely sudden. The data exfiltration incident on Friday usually had warning signals starting 2-6 weeks earlier. Pattern recognition is what UEBA (User and Entity Behaviour Analytics) does — turning a stream of small signals into a per-person risk score.

This post walks through the ten behavioural red flags that account for roughly 80% of incidents in our Indian customer base, and how to combine them into a useful detection model.

Red flag 1: Off-hours activity spike

An employee whose work pattern is consistent 9 AM - 7 PM IST suddenly logs in at 11 PM, 2 AM, on a Sunday. Single occurrences are noise. A new pattern persisting more than 5 sessions is signal.

Most-cited variant: the "weekend before resignation" — accessing systems on a Saturday or Sunday in the two weeks before the resignation letter arrives.

Red flag 2: New geographic access

Login from a city or country the person has never logged in from. Combined with off-hours, this is a strong account-compromise signal. Combined with normal hours but new geography, it is often a personal device or shared connection — also worth investigating.

Red flag 3: Data-access volume spike

The most reliable single signal in our dataset. Downloading 5-10× the person's normal daily volume of records, files, or screenshots over a 1-2 week window. Sometimes legitimate (year-end reporting, audit prep), often not.

Red flag 4: USB usage by a user who never uses USB

If your team typically does not use removable media (most modern Indian companies block it by default), a sudden USB-write event from a user who has zero prior USB activity is a high-confidence signal. Even a single event warrants a look.

Red flag 5: New cloud-upload destinations

Personal Dropbox, personal Google Drive, WeTransfer — appearing in the activity logs of a user who normally only uses corporate cloud apps. Cross-reference with file-size patterns: a new destination plus a 100+ MB upload is a strong combination.

Red flag 6: Source-code or CRM access outside scope

An engineer accessing source code repositories they have no business reason to touch. A sales-ops user pulling customer records outside their territory. The "scope creep" pattern is the canary for industrial-espionage and competitor-recruitment incidents.

Red flag 7: Sensitive document printing

Printing of documents tagged Confidential, Restricted, or otherwise sensitive — especially in volumes inconsistent with the role. Print monitoring is one of the lower-cost UEBA signals and surprisingly informative.

Red flag 8: Email spike to personal accounts

Outbound email volume from work account to the same employee's personal Gmail / Hotmail / Yahoo address, especially with attachments. Most companies treat one or two such emails as normal; sustained patterns are not.

Red flag 9: Tool / app installation outside the catalogue

Cloud-backup utilities, screen-capture tools beyond the standard set, remote-access apps (TeamViewer, AnyDesk) on machines where they are not part of the role. Often pre-positioning for later exfiltration.

Red flag 10: Performance / lifecycle context

The single biggest accuracy lift in any UEBA model comes from cross-referencing the signals above with HR-side context:

• Employee on a Performance Improvement Plan
• Resignation submitted but in notice period
• Role change with downward responsibility shift
• Negative engagement-survey signal
• Compensation conversation in progress

None of these are by themselves predictive of insider threat. But signals 1-9 weighted differently for someone in lifecycle category 10 catches what the same signals miss for a typical employee.

Building the model: signal weights that work

Score 100+ during a 30-day window = investigation. Score 200+ = real-time SOC alert + manager review.

How to actually deploy

Three-step rollout:

1. Connect data sources: endpoint monitoring (Headx), identity provider, file-access logs, HRMS. The HRMS feed is the highest-impact and the hardest to set up — start there.
2. Run in observe-only mode for 60-90 days: let the model build baselines. Do not act on alerts yet. You will discover that you over-weighted "off-hours" because half your sales team works on Saturdays.
3. Switch to alert + investigate: start with the highest-confidence signals (scope-creep, USB-by-non-USB-user) and expand.

FAQ

Will this generate too many false positives?

In observe-only mode, yes — 50-80% of fires are noise initially. After 90 days of tuning, well-calibrated UEBA runs at 5-15% false positive rate. The HR-context cross-reference is the biggest accuracy lever.

Can we run this without HR-data integration?

Yes but less effective. The 10× accuracy comes from the lifecycle context. If you cannot get HR-system integration, even monthly CSV exports of "employees on PIP" and "in notice period" lists materially help.

How does this differ from regular SIEM alerting?

SIEM fires on predefined rules (a known bad event). UEBA fires on statistical deviation from a baseline. Both are valuable — SIEM catches the known, UEBA catches the previously unseen.

Where do these red flags come from?

Aggregated patterns from 40+ Indian customer deployments and industry research from CERT-In, NIST insider-threat publications, and commercial threat-intelligence vendors. Specific numbers vary by sector and company size; the pattern set is consistent.

Related reading

See our deep-dives on USB exfiltration, protecting source code from departing engineers, and the UEBA glossary entry.