OVERVIEW
Access Policy Violation
The Access Policy Violation alert is triggered when a login was otherwise successful (username and password worked) – however it was blocked due to an Access Policy.
Access Policy and Violation
- Proactive notifications
- Minimise escalation risk
- Receive early intrusion notifications
- Protect user accounts
- Detect suspicious behaviour
Impact
Real world impact
Problem Faced
Joe is only allowed to login to his tenancy from his designed laptop, or, from his work location (specified by the ISP details). If Joe’s account shows the successful entering of username and passwords, but blocked due to a breaking of policy it immediately raises two questions:
a) Was it Joe? (or does a malicious actor have Joe’s login details?)
b) If it was Joe, then why is he trying to login via a device or location that he knows he should not be able to.
Suitable action needs to be taken in either case. Either remediation for a compromised account, or end-user training regarding security and login policies.
Solution
It is critical that Access Policy Violations are identified as quickly as possible. If it is a fraudulent login, then immediate action is required – the longer it is left, the more chances the attacker to bypass the Access Policies and gain actual access. This is not a situation that you want to find out about weeks, months, or even years later. If it is a legitimate end-user, then assistance and guidance to obtain access needs to be granted.
Checking hundreds, thousands, or potential tens of thousands of login attempts each day is a tedious and time-consuming process. The simple fact is that it is not reasonable to expect an administrator to check for Access Policy Violations on a daily basis.
CatchBefore can undertake this check multiple times per day. The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.
Prevention
What are the main questions you should consider when working out how to manage this risk?
- Do you have a system or solution in place to detect Access Policy Violations?
- If there was an Access Policy Violation from one of your users today, would you find out?
- How long do you think it would take to find out that one of your user accounts was blocked due to an Access Policy Violation?
- Have you ever checked your system for Access Policy Violations?
- What would the impact be on your organisation if a user account was compromised for an extended period of time without detection?
Problem Faced
Joe is only allowed to login to his tenancy from his designed laptop, or, from his work location (specified by the ISP details). If Joe’s account shows the successful entering of username and passwords, but blocked due to a breaking of policy it immediately raises two questions:
a) Was it Joe? (or does a malicious actor have Joe’s login details?)
b) If it was Joe, then why is he trying to login via a device or location that he knows he should not be able to.
Suitable action needs to be taken in either case. Either remediation for a compromised account, or end-user training regarding security and login policies.
Solution
It is critical that Access Policy Violations are identified as quickly as possible. If it is a fraudulent login, then immediate action is required – the longer it is left, the more chances the attacker to bypass the Access Policies and gain actual access. This is not a situation that you want to find out about weeks, months, or even years later. If it is a legitimate end-user, then assistance and guidance to obtain access needs to be granted.
Checking hundreds, thousands, or potential tens of thousands of login attempts each day is a tedious and time-consuming process. The simple fact is that it is not reasonable to expect an administrator to check for Access Policy Violations on a daily basis.
CatchBefore can undertake this check multiple times per day. The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.
Prevention
What are the main questions you should consider when working out how to manage this risk?
- Do you have a system or solution in place to detect Access Policy Violations?
- If there was an Access Policy Violation from one of your users today, would you find out?
- How long do you think it would take to find out that one of your user accounts was blocked due to an Access Policy Violation?
- Have you ever checked your system for Access Policy Violations?
- What would the impact be on your organisation if a user account was compromised for an extended period of time without detection?
More
Blog
CatchBefore it is too late!
Your data is actively being targeted. Safeguard your information with proactive measures.