This is especially the case when the malicious behavior is only slightly out of the norm for that account, and when the enterprise is large, and there are a lot of accounts to monitor.
"Hackers are using good user credentials as a way to infiltrate organizations and a lot of the products on the market right now would not catch that," said Eric Schou, director of product marketing for HP's enterprise security products groups.
To help with this, HP released a user behavior analytics product this spring at the RSA conference.
The technology can identify typical user behavior patterns in order to spot unusual behaviors, but can also be programmed with rules based on access policies for particular groups of employees.
For example, he said, if a user from the marketing department is logging into Oracle Financials, that could be in violation of a policy and send up a red flag.
He warned, however, that employees will often do unusual things for legitimate reasons. "It might just be behavior that's out of the norm, but not malicious."
It's not just people who can behave badly. Similar technology can be used to identify normal behaviors of individual endpoints, and recognize when they're doing something suspicious.
"Previous efforts in security analytics were unable to meaningfully represent the expected and normal behavior for connected endpoints," said Bryan Doerr, CEO at Observable Networks, one of the vendors offering this technology.
That challenge has only been getting harder, he added, as the number of endpoints has been growing along with the amount of data they generate that companies can now store.
"Our big idea was to use the data avalanche as inputs to a modeling process," he said. "We use all this rich data about endpoints to maintain models of their behavior, so that we can recognize when they do things they should not do."
This is all new territory, said Sriram Ramachandran, CEO at analytics vendor Niara.
"It has been a challenge to make the whole thing work seamlessly as a product," he said, and it's been holding back adoption.
"Getting all the information and putting it into elastic storage -- you can do that very quickly," he said. "If you Google Alan Turing, you will get millions of results. But the panel on the right, with the summary -- that requires machine learning."
Sign up for CIO Asia eNewsletters.