When companies implement robust security protocols, attackers typically give up on attacking the system itself and instead target humans through social engineering attacks. I believe that one of the fundamentals of Zero Trust goes through assuming that nobody can be trusted, not even those with access.
While we can tune the service to be very granular and selective with who can access our system, I believe it could receive some improvements by giving the SOC alerts of potentially suspicious activity.
- Lateral movement detection (Why did an employee connect outside of their work hours? Why are they trying to access X resource that isn’t typically used? etc.).
- Possible credential theft ( Why did the employee pass the password challenge but leave after MFA / 2FA? Why are they accessing through a VPN? Why are they outside their standard location?)
A compromisation on an employee machine does not guarantee that the attackers have access to the system; however, it is a good indicator that something is off and should be investigated, more techniques could be indicators of compromisation, but I believe that those would be an excellent start