How to effectively prevent access compromise?
How do you know if someone has just logged in under your colleague’s identity – and how do you stop them in time?
Why is it not enough to have an MFA today – and what steps will really protect against attacks in 2025?
Identity as a new frontier of defence
Forget the perimeter. In a digital world scattered across cloud, hybrid workplaces and BYOD devices
identity is a major attack vector
.
It only takes the compromise of a single credential to make an attacker an “authorized” user.
It is on this reality that the concept
Zero Trust
that:
- no user,
- no equipment,
- no location
…are not inherently trustworthy.
Therefore, it is not enough to protect the entrance.
You have to understand the behavior inside.
MFA: Insufficient but necessary minimum
Multi-factor authentication is now deployed by most companies – often in the form of an SMS code or push notification. It’s a good start. But in terms of today’s attacks
it’s no longer nearly enough
.
Modern attacks bypass MFA:
- using phishing proxy tools,
- man-in-the-middle technique,
- stealing session tokens.
A stronger approach:
Phishing-resistant MFA
This entry was posted in FIDO2 tokens, Windows Hello for Business and tagged FIDO2 tokens, Windows Hello for Business.
Conditional Access
: Different levels of trust depending on the context of access
🔐
MFA is not a goal today. It’s a foundation you need to build on.
Context is Key: Adaptive Access & Risk-Based Authentication
Modern tools such as
Microsoft Entra ID or Okta
allow you to evaluate logins not only by identity, but also by their
context
. We call this
risk-based authentication
.
Examples of risk signals:
- Unusual
geolocation
(e.g. Asia, but the employee is in Brno)
- Unknown
Facility
or incompatible OS
- Suspect
IP address
– such as a public VPN or an anonymiser
History of accesses
that does not correspond to normal behaviour
What does the system do?
- Requires stronger verification
- Blocks access to sensitive applications
- Or it stops the whole login
➡️
Don’t just judge it,
who
is applying, but
how and why
.
Compromise is not always loud – that’s why you have to look for it
Attackers in 2025 are not noisy. They don’t send skull emails, they don’t set off red alerts.
They proceed quietly and methodically
. They work with compromised approaches and test what they can afford.
To detect them, you need
user behaviour analysis (UEBA)
that:
- compares the actual behaviour with the standard pattern,
- looks for anomalies in the access data,
- detects also so-called “silent” attacks – insider threat, delegated access, new applications without approval.
What good monitoring should include:
- Increase in MFA login attempts or failures
- Suspicious combinations of roles and applications
- Access from a device the user has never used before
- Using global permissions without a reason
🔍 This is exactly how it works
SecuRadar Complete
which uses
Microsoft Sentinel
,
MITRE ATT&CK classification
a
automatic real-time anomaly detection
.
Automated response: when the system doesn’t wait for a human decision
Detection is only the first step. In the real world, you have to react
seconds.
– and in that moment, you need to have tools that don’t wait for analysis.
Automated response includes:
- Isolate the compromised device
- Forced sign-out and token lockout
- Reset password
- Activate the security playbook (e.g. via Microsoft Sentinel)
✅ The key is
a pre-prepared script
. The incident must not be a surprise – it must be an expected scenario.
Recommendations for companies: how to protect identities strategically
Stop relying on passwords and standard MFA
Deploying phishing-resistant authentication is an absolute essential today.
Bet on contextual access control
Conditional access with risk-based granularity significantly increases security without unnecessary burden on the user.
Analyse behaviour – not just technical data
UEBA and data correlation reveal what the logs don’t.
Automate reactions – reduce decision-making time
Speed is often the only difference between successful protection and an incident.
In an environment full of mobile working, cloud applications and decentralised teams
identity is both the most sensitive and the most vulnerable place
of your infrastructure.
