A while back I was coaching Jonathan, our intern, on updating our Cybercrime Controls and he came up with a good idea: Let’s monitor for changes to passwords. At first, this seems like low-hanging fruit to detect hacking, which is often coupled with malware in the majority of breach-related incidents. His line of thinking was essentially, not only do we want to look for newly created accounts and temporary accounts, but it might be useful to see whether a password has been changed.
Of course, the immediate problem is that passwords do change – typically every 90 days, depending on other, related “strong authentication” settings and whatever security standards and policies apply to the given enterprise. When a password has been changed, how do we determine whether that change is expected or unexpected, good or bad, acceptable or unacceptable? The answer is somewhat complicated: It depends.
Who changed the password for the account? Was it someone who already had access to that account and was logged in? Was it an admin unlocking an account? A self-help process similar to what many organizations now use for password management? When was the password changed? How close is that account to requiring a password change? Was the password recently changed due to a maximum lifetime constraint? There are a lot of factors to consider.
This is a very good example of analytics that typically require a human in the loop, but which is something I believe we can – and should – automate once we have the right models in place.