Insiders in the spotlight: redefining corporate cybersecurity

Corporate cybersecurity is undergoing a paradigm shift. What was once seen as an external attack is increasingly originating from within. With remote work, cloud adoption, and distributed access, cybercriminals no longer need to breach corporate perimeters—they log in as if they were legitimate users.

Tony Fergusson, CISO at Zscaler, Inc., a cloud security leader (NASDAQ: ZS), explains that this evolution fundamentally redefines internal risk. “Historically, an insider meant someone physically inside the company—an employee or contractor with office access. Today, users are everywhere, data often resides in the cloud, and traditional perimeters have dissolved. Anyone accessing this trusted environment is, by definition, an insider,” Fergusson notes.

Attackers blend in as legitimate users

The difficulty of detecting threats has increased dramatically. Attackers now compromise identities or devices, moving through systems while mimicking authorized employee behavior. Fergusson emphasizes: “Cybercriminals no longer need to hack their way in; they simply log in.”

This approach, sometimes called living off the land (LOTL), leverages tools, credentials, and processes already present in the network, allowing adversaries to remain undetected. The closer they operate to critical systems or sensitive data, the harder it is for traditional security measures to differentiate them from legitimate users.

From zero trust to negative trust

In response, Zscaler advocates for a shift beyond traditional identity-based security. Zero Trust remains essential, but Fergusson highlights the need for Negative Trust, a strategy that leverages unpredictability and controlled deception to disrupt attackers.

“Predictability is a risk many companies overlook. Making systems unpredictable hampers attacker progress and aids detection,” he explains. Continuous behavioral monitoring is key to identifying malicious activity before it escalates.

Behavior over access: the new perimeter

With access itself now the perimeter, companies must prioritize behavioral signals over simple credentials. Threat actors are increasingly willing to pay insiders to leak data or provide authentication tokens, making behavioral analytics and anomaly detection indispensable.

Fergusson concludes, “In an era where access is the new perimeter, behavior is the only true signal of trust.”

Frequently Asked Questions

What is the new internal threat landscape?

Internal threats now include any user or device accessing cloud-based corporate resources. Attackers can operate as legitimate insiders, making detection more difficult.

How does living off the land (LOTL) work?

LOTL attacks use existing tools, credentials, and processes within the organization, allowing cybercriminals to avoid triggering traditional security alerts.

What is Negative Trust?

Negative Trust complements Zero Trust by introducing unpredictability and controlled deception, making it harder for attackers to move undetected.

Why is behavior more important than identity?

Because access credentials can be compromised, monitoring behavioral patterns provides a more accurate signal of potential insider threats.

How can companies improve internal threat detection?

By implementing continuous behavioral analytics, anomaly detection, and combining Zero Trust with Negative Trust principles, organizations can detect malicious activity before it escalates.