There is a comfortable, wrong intuition about insider threat: that risk is evenly distributed, that in a population of a hundred cleared people roughly one is a problem, and that if you watch everyone's behavior closely enough the outlier will reveal itself on a chart. It is wrong, because insider risk does not follow a normal distribution. It follows a power law.
Bell curves versus power laws
A normal distribution — a bell curve — clusters around an average with thin tails: extreme events are vanishingly rare and never far from the mean. Most of the metrics security tools watch (files accessed, hours logged, bytes transferred) are roughly normal, and a User Behavior Analytics (UBA/UEBA) platform is built to flag the statistical outliers on those curves.
Insider damage, however, is power-law distributed. In a heavy-tailed distribution, a vanishingly small number of events account for nearly all of the consequence — and the catastrophic case is not a scaled-up version of normal behavior. Out of thousands of trustworthy people, essentially none are threats; the one who is can cause damage out of all proportion to anything on an access-pattern histogram. You cannot find a power-law event by hunting for three-standard-deviation outliers on a bell curve. They are different mathematics.
The Queen of Cuba
Ana Montes — the senior Defense Intelligence Agency analyst known as the "Queen of Cuba" — spied for Cuban intelligence for sixteen years before her arrest in 2001. Here is what should keep a UEBA vendor up at night: she did almost nothing technically detectable. She did not exfiltrate large files, mass-download from databases, or trip a data-loss rule. She memorized what she read at her desk, went home, and typed it from memory. By every statistical measure a tool could compute, her behavior sat comfortably inside the normal range — because it was normal, right up until the consequence. She was not caught by analytics. She was caught by counterintelligence: by inference, pattern-of-life reasoning, and human judgment.
Montes is the clearest case, but the lesson generalizes. The most dangerous insiders are often the ones deliberately operating inside the baseline — low and slow, within their access, within their hours, within their norms. A tool tuned to flag deviation will either miss them entirely or bury them under thousands of benign anomalies.
Why COTS UBA/UEBA isn't enough
Commercial UBA/UEBA platforms are useful — they catch the careless and the obvious. But at their core they are deviation detectors built on a normality assumption that the worst insiders violate by design. Finding the power-law case requires something no box ships out of the kit: inferential analytics that reason across context, relationships, and intent rather than thresholds; the creativity to ask questions the data was never structured to answer; and an analyst in the loop who can connect signals no single rule would.
That is the work NexThreat does. We build insider-threat capability that goes beyond statistical deviation — combining behavioral and data analytics with the inferential, counterintelligence-informed reasoning the genuinely dangerous cases demand. The bell curve will not save you. The thinking behind it might.
