Stop blaming your users for compromised credentials
Users remain the biggest threat to a company’s security, but blaming your users is never the right route to take.
Users are (usually) human. They are careless, flawed and often exploited. In fact, attackers love exploiting the naivety of your users because it’s so easy.
All it takes is one successful phishing email to persuade just one user to hand over their organization’s login details. Once that hacker gains entry to your systems, you’re not going to find out until it’s too late — your anti-virus and perimeter systems aren’t programmed to pick up on access using legitimate login details, giving snoopers all the time in the world to, well, snoop.
So, how are you supposed to spot inappropriate user access when it’s already been defined as appropriate?
Spotting the threat
Security must be there to protect users from both careless and malicious behavior and to protect the business from outsiders trying to gain access by pretending to be employees.
When you boil it down, the only way to really tell if someone is a malicious insider or an intent external threat actor is by allowing them to perform actions (such as launching applications, authenticating to systems, accessing data, etc.) and determine whether the actions are inappropriate.
But given that the majority of your user population doesn’t act the same way everyday – let alone the next week or month – it makes more sense to spot the threat actor by looking at leading indicators of threat activity, rather than waiting for the threat activity itself.
One of the most accurate leading indicators is one no malicious insider or external threat actor can get around – the logon (local, remote, via SMB, via RPC, etc.). Endpoints require logons for access, lateral movement of any type requires authentication to access a target endpoint, and access to data first requires an authenticated connection.
Protecting against users’ compromised credentials
The leveraging of Logon Management solutions provides organizations with not only the ability to monitor logons and identify suspicious logon activity, but to also craft logon policies to limit the scope of account use and automatically shut down access based on inappropriate logon behavior. By using the contextual information around a user’s logon (origin, time, session type, number of access points, etc.) genuine logins become useless to would-be attackers.
So, while there might not be a patch for the user quite yet, keep in mind that you do have a foolproof way to make sure authenticated users are who they say they are, identify any ‘risky’ user behavior and put a stop to it before it ends up costing you capital, customers and your company’s reputation.
Read our latest infographic on how to stop blaming users and start better protecting users’ authenticated access: