An important subsequent step is to identify and track all authorized access credentials that are in use, including orphaned, shared, third-party and remote access accounts. Most can be used to access sensitive company data, systems and applications, and as a springboard for data breaches. Once a user’s access credentials are hijacked, they can enable attackers to move around the network undetected.
Also, access credentials should be monitored across all networks, voice and data channels, infrastructure, computer systems, devices, databases and applications. As part of this process, any excess access credentials that are not required by users should be revoked. Especially those that do not match up or conflict with other users in an individual's relevant peer groups.
In addition, pay close attention to user accounts with elevated access privileges, such as systems or database administrator accounts and system-level accounts on all security and perimeter devices, etc. Some of these accounts may not be used on a regular basis, and should therefore be scanned continuously to evaluate whether they need to be removed or disabled.
Once user credentials are being monitored and logged, access activity should be analyzed against sensitive or privileged data. For example, which user accounts are accessing customer, supplier or finance data? Why is this type of data being accessed by these user accounts? Are users access privileges consistent with their need to access this type of data?
Being able to differentiate between “good” and “bad” user behavior is the foundation for gathering actionable incident detection and response intelligence. It is also vital for shortening the dwell time of intrusions and containing or preventing data exfiltration.