Access to Asset Past Termination

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

When an employee leaves the organization, a formal process should be followed to ensure all equipment is returned, and any associated accounts or access is revoked.

Full Disk Encryption (FDE) involves encrypting all data on a device's hard disk or solid-state drive (SSD), including the Operating System (OS), third party applications and user data. This helps to ensure that data on the disk remains inaccessible if the laptop is lost or stolen, as the data cannot be accessed without the correct decryption key.

Typically a user decrypts a FDE disk during the boot process. The user is prompted to enter a password or provide a hardware token to unlock the encryption key. Only after successful authentication can the disk be decrypted and subsequently the Operating System loaded and the data accessed.

Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of potential insider threats early in their lifecycle. Collaboration between HR teams, managers, colleagues, and investigators is essential for detecting concerning behaviors or changes in an employee's personal circumstances that could indicate an increased risk of insider threat.

Mental Health and Personal Struggles

• Trigger Event: HR receives reports or observes a significant change in an employee's behavior or performance, which may indicate mental health issues or personal struggles that could elevate the likelihood of an insider threat. This information may come from managers, colleagues, or direct observations within HR.
• Indicator: Multiple reports from managers, direct supervisors, or colleagues highlighting behavior changes such as stress, depression, or erratic actions.
• Response: HR teams should notify investigators of high-risk employees with visible signs of distress or any reported instances that might indicate susceptibility to manipulation or exploitation.

Negative Statements or Discontent with the Company

• Trigger Event: HR identifies instances of employees making negative statements about the company, its leadership, or its operations, potentially through personal social media channels, internal communications, or third-party reports. Additionally, such concerns might be raised by managers or colleagues.
• Indicator: Recorded incidents where employees voice dissatisfaction in forums or interactions that may expose vulnerabilities within the company, which may come from colleagues, managers, or HR’s internal channels.
• Response: Immediate referral to investigators for further investigation, including tracking if such sentiments are coupled with any increase in risky behaviors (e.g., accessing sensitive data or systems without authorization).

Excessive Financial Purchases (Potential Embezzlement or Third-Party Influence)

• Trigger Event: HR or finance teams notice discrepancies in an employee's personal financial behavior—particularly excessive spending patterns that appear inconsistent with their known salary or financial profile. This could indicate embezzlement, financial mismanagement, or payments from third parties. Such concerns may also be raised by managers or colleagues.
• Indicator: Transactions that show a high degree of personal spending or financial behavior inconsistent with the employee’s compensation, possibly flagged by HR, finance, or colleagues who notice unusual behaviors.
• Response: Referral to investigators for correlation with employee access to financial or sensitive company systems, along with further scrutiny of potential illicit financial transactions. Third-party or whistleblower reports, including from colleagues or managers, may also be investigated as part of a broader risk assessment.

Hearsay and Indirect Reports

• Trigger Event: Anonymous or informal reports—such as rumors or gossip circulating in the workplace—that hint at potential insider threat behaviors. These reports, often from colleagues or managers, may be unsubstantiated, but they still warrant an alert if the volume or credibility of the information increases.
• Indicator: Reports or concerns raised by employees, colleagues, or external parties suggesting that an employee may be engaging in unusual behaviors, such as excessive contact with external vendors, financial irregularities, or internal dissatisfaction.
• Response: Investigators work with HR to assess the situation by cross-referencing any concerns, including those from colleagues or managers, with the employee's activity patterns, communication, and access to sensitive systems.

Implementation Considerations

• Collaboration Framework: A clear and secure protocol for HR, managers, colleagues, and investigators to share critical information regarding employees at risk. This should maintain employee privacy and legal protections, while still enabling timely alerts.
• Confidentiality and Privacy: All information related to personal behavior, health, or financial matters must be handled with sensitivity and in accordance with legal and regulatory frameworks, such as GDPR or local privacy laws.
• Continuous Monitoring: Once flagged, employees should be monitored for any other risk indicators, including changes in data access patterns, unapproved system access, or behavior that correlates with identified risks.

MDM solutions require employees to register their personal devices with the organization's MDM system before gaining access to corporate networks and applications. This process ensures that only approved and known devices are permitted to connect.

Once a device is enrolled, the MDM system can enforce security policies that include:

• Access Control: Restricting or granting access based on the device's compliance with corporate security standards.
• Configuration Management: Ensuring that devices are configured securely, with up-to-date operating systems and applications.
• Remote Wipe and Lock: Allowing the organization to remotely wipe or lock a device if it is lost, stolen, or if suspicious activity is detected.
• Data Encryption: Enforcing encryption for data stored on and transmitted by the device to protect sensitive information.
• Application Control: Managing and restricting the installation of unauthorized applications that could pose security risks.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

A scheduled, systematic audit of organizational assets to verify that all hardware, software, and network infrastructure aligns with approved inventories and configuration baselines. The audit is designed to detect unauthorized, unapproved, or misconfigured assets that may have been introduced opportunistically by subjects circumventing standard processes.

Detection Methods

• Conduct periodic formal asset discovery audits using network scanning tools, endpoint management platforms, and manual verification processes.
• Reconcile discovered assets against authoritative asset management databases (e.g., CMDB, inventory systems).
• Inspect critical operational areas physically to identify unauthorized devices such as rogue wireless access points, unsanctioned satellite terminals, or personally procured IT hardware.
• Require supporting documentation (e.g., procurement records, change approvals) for all assets found during audits.
• Audit virtual infrastructure and cloud accounts to detect unapproved services, instances, or network configurations introduced outside formal governance.

Indicators

• Assets detected during the audit that are absent from official asset registries.
• Devices operating without appropriate configuration management, endpoint security tooling, or monitoring integration.
• Physical or virtual infrastructure deployed without associated change control, procurement, or authorization records.
• Wireless networks or external connections operating without approved designations or safeguards.

Leverage the corporate asset register to correlate device ownership, user assignment, and provisioning status. This enables investigators to quickly determine:

• Which subject(s) are assigned to a given device
• Which devices are officially assigned to a given subject
• Whether a device exists in inventory without an assigned owner (unprovisioned)
• Whether a subject is using a device not present in the official register

By maintaining this cross-referenced view, investigators can detect orphaned assets, unauthorized re-use, and unmanaged endpoints that bypass provisioning controls. The asset register becomes both a baseline for enforcement and a forensic source of truth during insider threat investigations.

What an Asset Register Is

An asset register is a centralized, authoritative database that records all corporate hardware assets—most critically laptops, desktops, and other endpoints. Each record includes:

• Unique asset identifier (serial number, asset tag, or hardware UUID)
• Current assigned subject (mapped to Human Resources Information System (HRIS) identity)
• Device state (active, decommissioned, loaner, in repair, unassigned)
• Provisioning details (date issued, baseline configuration, security tooling enrollment)
• Custodial history (who previously held the device and when it was reassigned)

The asset register provides a single point of truth that investigators and defenders can use to validate whether a device is legitimately in use and under control.

Implementation Approaches

• Dedicated Asset Management Systems: Deploy enterprise-grade IT asset management platforms (e.g., ServiceNow, Lansweeper, Jamf, SCCM) with integrations to HRIS and Identity and Access Management (IAM).
• MDM/EDR Integration: Ensure that mobile device management (MDM) and endpoint detection and response (EDR) solutions feed device enrollment status into the asset register.
• HRIS Linkage: Automate assignment by linking HR onboarding/offboarding events directly to device provisioning and revocation workflows.
• Physical Asset Tagging: Label each device with a unique asset tag or barcode tied to the register to prevent informal reallocation.
• Audit and Recertification: Conduct periodic reconciliation (monthly or quarterly) to ensure the register reflects reality — identifying missing devices, duplicates, or ghost entries.

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

In tightly controlled environments where system access is expected to be physically co-located (e.g., secure enclaves, badge-restricted zones, no-VPN networks), login events occurring without corresponding physical entry records indicate potential misuse of credentials or anti-forensic access. Subjects may provide or leak credentials to others, or operate under shared or impersonated accounts. This discrepancy can also signal badge cloning, tailgating, or failure to enforce physical-to-logical access binding.

Detection Methods

Compare physical access logs (e.g., Lenel, Genetec, CCure badge systems) with:

• Active Directory login events
• VPN or RDP session logs
• Privileged session management tools

Construct correlation logic:

• Alert when login event occurs but no badge entry for that subject within ±30 minutes.
• Extend correlation window for multiple facility entry points if needed.

Filter for:

• Logins to high-sensitivity systems
• After-hours activity
• Accounts with elevated privileges

Alert on:

• Logins during badge absence
• Logins post facility closure
• Badge present, but login occurs from unassigned workstation

Example Scenario

In a secure IT operations center, access to administrative consoles is restricted to physically present engineers. On a holiday, an engineer’s domain account logs into the configuration server — but badge access records show they never entered the facility that day. Investigation reveals the password was shared with a colleague under informal backup practices, violating policy and creating audit ambiguity.

Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed.

Monitor outbound DNS traffic for unusual or suspicious queries that may indicate DNS tunneling. DNS monitoring entails observing and analyzing Domain Name System (DNS) queries and responses to identify abnormal or malicious activities. This can be achieved using various security platforms and network appliances, including Network Intrusion Detection Systems (NIDS), specialized DNS services, and Security Information and Event Management (SIEM) systems that process DNS logs.

In relevant security tooling (such as a SIEM or EDR), a watchlist (also known as a reference set) should be used to monitor for any activity generated by accounts belonging to employees who have left the organization, as this is unexpected. This can help to ensure that the security team readily detects any unrevoked access or account usage.

This process must be in partnership with the Human Resources team, which should inform the security team when an individual leaves the organization (during an Employee Off-Boarding Process, see PV024), including their full and user account names. Ideally, this process should be automated to prevent any gaps in monitoring between the information being sent and the security team adding the name(s) to the watchlist. All format variations should be considered as individual entries in the watchlist to ensure accounts using different naming conventions will generate alerts, such as john.smith, john smith, john.smith@company.com, and jsmith.

False positives could occur if there is a legitimate reason for interaction with the account(s), such as actions conducted by IT staff.

From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.

This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.

Depending on the type of VPN appliance or service used, VPN logs can provide detailed records of user activity. These logs typically include information such as user IDs, device types, IP addresses, and connection timestamps. By analyzing VPN logs, security teams can identify deviations from normal usage patterns, such as connections from unusual geographic locations, access during odd hours, or unusually large data transfers. Anomalies in VPN usage can serve as early indicators of suspicious behavior, potentially signaling attempts at data exfiltration or other unauthorized activities. Alerts triggered by these irregularities allow for further investigation to assess potential threats.