OVERVIEW

Access Policy Violation

The Access Policy Violation alert is triggered when a login was otherwise successful (username and password worked) – however it was blocked due to an Access Policy.

Watch out for attempts

Access Policy and Violation

  • Proactive notifications
  • Minimise escalation risk
  • Receive early intrusion notifications
  • Protect user accounts
  • Detect suspicious behaviour
Get Started arrows
Access control and configuration

situations

Situations faced by the client

How is this check useful in the real world? As an example, let’s take a user called Joe.

Problem Faced

Joe is only allowed to login to his tenancy from his designed laptop, or, from his work location (specific by the ISP details).    If Joe’s account shows the successful entering of username and passwords, but blocked due to a breaking of policy it immediately raises two questions:

a) Was it Joe? (or does a malicious actor have Joe’s login details?)

b) If it was Joe, then why is he trying to login via a device or location that he knows he should not be able to.

 

Suitable action needs to be taken in either case. Either remediation for a compromised account, or end-user training regarding security and login policies.

Solution

It is critical that Access Policy Violations are identified as quickly as possible.   If it is a fraudulent login, then immediate action is required – the longer it is left, the more chances the attacker to bypass the Access Policies and gain actual access.  This is not a situation that you want to find out about weeks, months, or even years later.  If it is a legitimate end-user, then assistance and guidance to obtain access needs to be granted.

Checking hundreds, thousands, or potential tens of thousands of login attempts each day is a tedious and time-consuming process.  The simple fact is that it is not reasonable to expect an administrator to check for Access Policy Violations on a daily basis.

CatchBefore can undertake this check multiple times per day.   The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.

Prevention

What are the main questions you should consider when working out how to manage this risk?

  • Do you have a system or solution in place to detect Access Policy Violations?
  • If there was an Access Policy Violation from one of your users today, would you find out?
  • How long do you think it would take to find out that one of your user accounts was blocked due to an Access Policy Violation?
  • Have you ever checked your system for Access Policy Violations?
  • What would the impact be on your organisation if a user account was compromised for an extended period of time without detection?
Problem Faced Joe is only allowed to login to his tenancy from his designed laptop, or, from his work location (specific by the ISP details).    If Joe’s account shows the successful entering of username and passwords, but blocked due to a breaking of policy it immediately raises two questions: a) Was it Joe? (or does a malicious actor have Joe’s login details?) b) If it was Joe, then why is he trying to login via a device or location that he knows he should not be able to.   Suitable action needs to be taken in either case. Either remediation for a compromised account, or end-user training regarding security and login policies.
Solution It is critical that Access Policy Violations are identified as quickly as possible.   If it is a fraudulent login, then immediate action is required – the longer it is left, the more chances the attacker to bypass the Access Policies and gain actual access.  This is not a situation that you want to find out about weeks, months, or even years later.  If it is a legitimate end-user, then assistance and guidance to obtain access needs to be granted. Checking hundreds, thousands, or potential tens of thousands of login attempts each day is a tedious and time-consuming process.  The simple fact is that it is not reasonable to expect an administrator to check for Access Policy Violations on a daily basis. CatchBefore can undertake this check multiple times per day.   The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.
Prevention What are the main questions you should consider when working out how to manage this risk? Do you have a system or solution in place to detect Access Policy Violations? If there was an Access Policy Violation from one of your users today, would you find out? How long do you think it would take to find out that one of your user accounts was blocked due to an Access Policy Violation? Have you ever checked your system for Access Policy Violations? What would the impact be on your organisation if a user account was compromised for an extended period of time without detection?

CASE STUDY

Case Study

MS365 Block Lists & Email Quarantine Management

Improve your Office 365 Security Governance New

The truth behind MFA and 365 security

365 Security in 2023

Welcome, and what a time to launch