Purchase and Use of Unmanaged Corporate Hardware

Azure Conditional Access provides organizations with a powerful tool to enforce security policies based on various factors, including user behavior, device compliance, and location. These policies can be configured through the Azure Active Directory (Azure AD) portal and are typically applied to cloud-based applications, SaaS platforms, and on-premises resources that are integrated with Azure AD.

To configure Conditional Access policies, administrators first define the conditions that trigger the policy, such as:

• User or group membership: Applying policies to specific users or groups within the organization.
• Sign-in risk: Assessing user sign-in risk levels, such as unfamiliar locations or suspicious behaviors, and enforcing additional controls like MFA.
• Device compliance: Ensuring only compliant devices (those managed through Intune or similar tools) can access organizational resources.
• Location: Restricting access based on trusted or untrusted IP addresses and geographic locations, blocking risky or suspicious login attempts.

Once conditions are set, administrators can then specify the actions to take, such as requiring MFA, blocking access, or allowing access only from compliant devices. For example, an organization could require MFA when accessing Microsoft 365 or other cloud applications from an unmanaged device or high-risk location.

Conditional Access policies are configured through the Azure AD portal and can be applied to a variety of platforms and services, including (but not limited to):

• Microsoft 365 (e.g., Exchange, SharePoint, Teams)
• Azure services (e.g., Azure Storage, Azure Virtual Machines)
• Third-party SaaS applications integrated with Azure AD

Applying spending limits to corporate cards can control the amount of funds a subject could spend legitimately or illegitimately.

Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others.

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

The financial approval process is a structured procedure used by organizations to review and authorize financial transactions. It includes segregation of duties, authorization levels, and documentation and audit trails to prevent financial abuse and ensure adherence to policies and budgets.

Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.

Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters.

The process for having software installed on a corporate endpoint by IT should require approval from the employee's line manager to ensure the request is legitimate and appropriate.

Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.

Implementation Approaches

• Create clear, accessible request processes for technology needs, system enhancements, and operational support requirements.
• Ensure personnel understand how to escalate unmet needs when standard processes are insufficient, including rapid escalation pathways for operational environments.
• Maintain service-level agreements (SLAs) or expected response times to requests, ensuring perceived barriers or delays do not incentivize unofficial action.
• Integrate feedback mechanisms that allow users to suggest improvements or report resource shortfalls anonymously or through designated representatives.
• Publicize successful examples where formal channels resulted in legitimate needs being met, reinforcing the effectiveness and trustworthiness of the system.

Operational Principles

• Responsiveness: Requests must be acknowledged and processed promptly to prevent frustration and informal workarounds.
• Transparency: Personnel should be informed about request status and outcomes to maintain trust in the process.
• Accountability: Ownership for handling requests must be clearly assigned to responsible teams or individuals.
• Cultural Integration: Leaders and supervisors should reinforce the use of formal channels and discourage unsanctioned self-remediation efforts.

Leverage the corporate asset register to correlate device ownership, user assignment, and provisioning status. This enables investigators to quickly determine:

• Which subject(s) are assigned to a given device
• Which devices are officially assigned to a given subject
• Whether a device exists in inventory without an assigned owner (unprovisioned)
• Whether a subject is using a device not present in the official register

By maintaining this cross-referenced view, investigators can detect orphaned assets, unauthorized re-use, and unmanaged endpoints that bypass provisioning controls. The asset register becomes both a baseline for enforcement and a forensic source of truth during insider threat investigations.

What an Asset Register Is

An asset register is a centralized, authoritative database that records all corporate hardware assets—most critically laptops, desktops, and other endpoints. Each record includes:

• Unique asset identifier (serial number, asset tag, or hardware UUID)
• Current assigned subject (mapped to Human Resources Information System (HRIS) identity)
• Device state (active, decommissioned, loaner, in repair, unassigned)
• Provisioning details (date issued, baseline configuration, security tooling enrollment)
• Custodial history (who previously held the device and when it was reassigned)

The asset register provides a single point of truth that investigators and defenders can use to validate whether a device is legitimately in use and under control.

Implementation Approaches

• Dedicated Asset Management Systems: Deploy enterprise-grade IT asset management platforms (e.g., ServiceNow, Lansweeper, Jamf, SCCM) with integrations to HRIS and Identity and Access Management (IAM).
• MDM/EDR Integration: Ensure that mobile device management (MDM) and endpoint detection and response (EDR) solutions feed device enrollment status into the asset register.
• HRIS Linkage: Automate assignment by linking HR onboarding/offboarding events directly to device provisioning and revocation workflows.
• Physical Asset Tagging: Label each device with a unique asset tag or barcode tied to the register to prevent informal reallocation.
• Audit and Recertification: Conduct periodic reconciliation (monthly or quarterly) to ensure the register reflects reality — identifying missing devices, duplicates, or ghost entries.

Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed.

Monitor outbound DNS traffic for unusual or suspicious queries that may indicate DNS tunneling. DNS monitoring entails observing and analyzing Domain Name System (DNS) queries and responses to identify abnormal or malicious activities. This can be achieved using various security platforms and network appliances, including Network Intrusion Detection Systems (NIDS), specialized DNS services, and Security Information and Event Management (SIEM) systems that process DNS logs.

Financial auditing independently reviews financial records to ensure accuracy and compliance, detecting irregularities and evaluating internal controls. It protects against abuse by identifying fraud and deterring dishonest behavior through increased accountability.

Depending on the type of VPN appliance or service used, VPN logs can provide detailed records of user activity. These logs typically include information such as user IDs, device types, IP addresses, and connection timestamps. By analyzing VPN logs, security teams can identify deviations from normal usage patterns, such as connections from unusual geographic locations, access during odd hours, or unusually large data transfers. Anomalies in VPN usage can serve as early indicators of suspicious behavior, potentially signaling attempts at data exfiltration or other unauthorized activities. Alerts triggered by these irregularities allow for further investigation to assess potential threats.