The document discusses the importance of monitoring user behavior to prevent compromised credentials in Windows Active Directory networks. Key strategies include implementing real-time monitoring, context-aware access restrictions, and setting alerts for abnormal login activities. Statistics indicate a significant percentage of companies are already utilizing these practices to enhance security and protect against unauthorized access.

1. © Copyright 2016 - IS Decisions S.A - All right reserved
UserLock and FileAudit are trademarks of IS Decisions S.A
All numbers are from IS Decisions’ research into the access security priorities of 500 IT Security Managers in the US and UK.
http://www.isdecisions.com/user-security-versus-user-productivity/
Transparent security that
does not impede end users and
hinder productivity
Fast implementation
and easy to manage
Non-disruptive technology
that doesn’t frustrate
IT departments
www.fileaudit.com
FileAudit monitors and alerts on all file
access and access attempts. Contextual
functions help detect any malicious access
and alteration of sensitive information on
Windows systems.
FileAudit
www.userlock.com
With context-aware user login rules,
real-time monitoring and risk detection
tools, UserLock works alongside Active
Directory to guard against compromised
logins on Windows systems.
UserLock
TWO SOFTWARE SOLUTIONS
FOR WINDOWS ACTIVE DIRECTORY NETWORKS
Make sure authenticated users are who they say they are, identify any ‘risky’ behavior and put a
stop to it before it ends up costing capital, customers and your company’s reputation.
Compromised credentials can happen to everyone - Don't let it be you
Attackers are after data, and for that they must access it before they can
extract it. Visibility is key. If the adversary had valid, authorized
credentials, it becomes critical to monitor all access to sensitive data. Not
only unauthorized, but authorized as well.
31%
of companies’ currently monitor user behavior
to guard against compromised credentials
MONITOR
ALL ACCESS TO
SENSITIVE DATA
4
report
Set rules that automatically allow or deny a login connection requested. Set
restrictions on location, IP address, time of day, number of simultaneous
sessions, number of initial access points. Modified at any time all changes
shouldbeappliedinreal-timeandeffectiveimmediately.
31%
of companies’ currently use contextual access restrictions to
guard against compromised credentials
SET CONTEXTUAL ACCESS
CONTROLS TO LIMIT END
USERS ACCESS
3
rules
Set real-time alerts on specific events so you can identify if authenticated
credentials have been compromised and immediately stop network
access.
54%
of companies’ currently use abnormal logon activity alerts
to guard against compromised credentials
SET ALERTS
ON ABNORMAL
LOGON ACTIVITY
2
access denied
!
Your users will have already been assigned logins, but you won’t know if
abnormal behavior is happening if you don’t know who is connected from
which workstation or device and since when.
47%
of companies’ currently use real-time monitoring
to guard against compromised credentials
IMPLEMENT REAL TIME
MONITORING OF ACCOUNT
LOGON ACTIVITY
1
Stop blaming users and start better protecting users’ authenticated access.
TO STOP COMPROMISED
LOGIN ACCESS
EASY
STEPS4
connected
from home
11:23 pm
copying
copying
copying
copying
For example:
Simultaneous logins from locations too far apart
to make any sense, or sequential logins with
different credentials being used from an existing
impossible journeys
46%
For example:
Login attempts from outside normal business hours
sudden change in working/office hours
48%
For example:
A repetition of failed login attempts
or password resets.
password resets
reset
pASSWORD
48%
For example:
Login attempts from an unlikely session
type, location or device.
Implausible remote access
58%
LOGged
LOGin
For example:
Copying, deleting or moving
of a large number of files en-mass.
Unusual resource usage
59%
The top five signs are top for a reason — because they are the usual suspects
when it comes to identifying if someone uninvited has breached your network.
WARNING SIGNS OF COMPROMISED CREDENTIALS
YOU SHOULD BE LOOKING OUT FOR5
hacked database including user credentials
22%
password duplication
29%
Private
Password
xabc3
Corporate
Password
xabc3
social engineering
35%
E-mail
SPAM
key-logging malware
37%
password sharing with colleagues
38%
PASSWORD
phishing
58%
LOGIN
PASSWORD
But users are human. They are flawed, careless and often exploited.
Security must be there to protect users from both careless and malicious behavior and to
protect the business from outsiders trying to gain access by pretending to be employees.
It’s easy to blame your users.
It’s your end-users that are often endangering your network.
HOW LOGIN CREDENTIALS ARE EFFORTLESSLY COMPROMISED
Compromised credentials are key to avoiding network breach detection.
They belong to an authenticated user with authorized access!
45%of data breaches are as a result
of compromised credentials
----------------
80%of organizations believe detecting
possible compromised credentials
is important
How to bolster your defense against security breaches
that stem from stolen and shared user login credentials
STOP BLAMING YOUR USERS
FOR COMPROMISED CREDENTIALS