Webinar – Identifying Abnormal Authentication: Associating Users with Workstations and Detecting When Users (Try to) Logon to Someone Else’s Workstation
How do you determine when a nosy or potentially malicious insider tries to logon to another user’s workstation with their own account, or to their own computer with a colleague’s password? How do you detect password sharing?
The first hurdle is knowing which account each workstation belongs to – a time consuming affair at a large organization. If you have an accurate and up-to-date asset management system that has this information — and if you can regularly import it into your SIEM — that’s a strong first step. But most organizations I work with really struggle on this score.
In most cases, it’s more practical to automatically associate users and computer based on logon history. But you have to take into account turnover both in users and computers. A static baseline will only produce increasing false positives until it becomes useless.
