Insider Threat Detection & Response Moving from Access Logging to Continuous Access Monitoring & Immediate Response

Effective access control is not just about putting up barriers to entry.
It should also enable more visibility into what specific employees are doing within specific systems.

Many organizations have no way to continuously monitor and audit access to help ensure only properly authorized individuals are gaining access to the internal network.

To maintain a secure and compliant Windows Active Directory environment, organizations must monitor for unauthorized or suspicious network/file access that heighten the risk to corporate data/systems.

Knowing what is going on in your network environment and most importantly responding to it is the key.

Detect and Respond to Suspicious Access Behaviour

Impossible in native Active Directory functionality, this type of real time monitoring and immediate response should be an integral part of an organization’s security policy and risk mitigation strategy.

Tracking User Logon for an entire Windows Active Directory network would mean checking each individual computer’s security audit logs. The data is huge in volume, difficult to understand and offers no easy centralized view to continuously monitor.

Likewise keeping track over who has access to data is critical, but almost impossible manually.

Furthermore, it is important to stress that whilst monitoring user activity is required by many compliance regulation, without being able to filter or send an alert to the security administrator on specific and potentially suspicious access events, the monitoring has limited use.

By responding quickly, even if the threat is a false alarm, showing that action is taken swiftly helps educate users and reduces the risk of malicious insider activity.

Detect and respond to Insider Threats

Through continuous monitoring and alerting FileAudit and UserLock GUI (Graphical User Interface) both make it easy to see what’s happening with network and data access. They offer succinct readable data which makes managing systems far easier. This significantly reduces the workload related to monitoring access, allows you to respond instantly in emergency situations and offers a comprehensive, centralized and searchable audit trail.

Respond to Compromised or Stolen Network Passwords

The use of automated warnings sent to users by the security software itself, rather than simply logging an incident for management/ administrators to take action offers further protection.

Alerting users when their own credentials are used to connect (or attempt to connect) to the network allows users themselves to assess a situation and inform their IT department who can react immediately to any fraudulent use of compromised credentials.

Risk Assessment to indicate suspicious access behaviour

By correlating a user’s actual access events with their customized access controls, a user can be assigned a ‘risk indicator’ to alert administrators on potential inappropriate or suspicious login behaviour.

To identify “at-risk insiders” offers a better predictive capability to detect possible insider risks before a breach takes place.

Ensure access is attributed to an individual employee

No set of security measures is 100% perfect and an incident can always happen.

Fine grained access control combined with proper computer account management will though ensure that access to all of the organization’s critical data/information is attributed to individual employees. Accountability will make malicious insiders think twice before acting and make all users more careful with their actions.

If an organization is not openly and consistently dealing with unacceptable behaviour, then other employees are getting the message that they can get away with it.

By not controlling concurrent logins a whole accountability and non-repudiation issue is created. Preventing concurrent logins, as is the case with UserLock, an organization can accurately identify, search, report and archive user access and make a user accountable for any malicious activity.


With continuous access monitoring, alerts and auditing, organizations have the ability to ensure access controls and policies are enforced, respond immediately to emergency situations helping protect corporate data from the insider threat.

Next chapter Insider Threat Awareness

IS Decisions software offers organizations proven and effective solutions to help protect a Windows Network against Insider Threats.


Manage, control and secure network access for all authenticated users.


Secure and report on all access to files, folders and file shares that reside on Windows Systems and in the cloud.