With increasing sophistication and frequency of attacks, rapidly detecting signs of breaches and insider activities is critical for any enterprise.
Irregular Access Locations and Logins
When a user or program accesses an application from unexpected geographical locations, this is another indicator that an attacker is pulling strings by hopping around different locations. Typically, this type of hopping is done as a masquerade; the attacker is actually stationary. When you combine access from diverse geographical locations with rapid successive logins to your cloud application, this is a marker of pending trouble. A particularly strong indicator of compromise consists of irregular geographical access, rapid successive logins, and outbound network traffic going to a location where your enterprise usually doesn't conduct business.