• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

5 Everyday Activities That Could Mask Malicious Behavior

Thanksgiving is now in our rearview mirror and the excitement of the winter holidays is upon us. As we approach the end of the year, it’s fun to look back at all the things we accomplished – andmalicious activity perhaps finish some of those things we put off until we had more time. One of the most important things we all-too-often set aside is implementing appropriate logging and monitoring practices. There’s no better time to go back and fix auditing for all systems, including those rolled out in 2018.  Below are five commonplace tasks security professionals should monitor for suspicious or malicious activity.

  1. User Account Management

Creating, managing and terminating user accounts is a basic function that all organizations manage. The task of creating users usually falls to the same person or team. If anyone other than those individuals creates an account, it should raise a red flag. Furthermore, security should monitor and review user activity like password resets, account disabling/enabling, lockouts, and new group membership or revocation regularly (probably weekly). Pay close attention to anything related to remote access, too. The bad guys want easy ways to access the network and creating a user with remote access can provide a persistent gateway if nobody’s watching the gate.

  1. Software Installation and Removal

There’s software that’s authorized to run and software that isn’t. At the server level, this should be pretty easy to monitor if you have a SIEM. Any time new software is installed on a server, the security team should know. At the desktop layer, this is a little bit more difficult. The best way to monitor is with an endpoint management solution that runs an agent on all machines and oversees software management. Either way, unauthorized software installs should be monitored for unapproved software and acted on immediately. This technique also provides an avenue for controlling the installation of licensed software that may carry additional cost for each system it’s installed on.

  1. Network Connections

This starts internally on the network. For example, if a guest plugs their computer into an open network jack, the security team should know. The connection of wireless access points or home-use switches/routers (typically by well-meaning employees just looking to connect multiple devices) should be identified and remediated immediately. I also like to look at new site-to-site VPN connections or additions to the WAN. All of this can be easily customized within a SIEM that is gathering logs from network devices. I like to take this a step further by monitoring endpoints for removable media like USB drives or smartphone connections (usually by users charging their phone). While not necessarily connecting to a network jack, they are still a new device on the network that can create havoc.

  1. Changes to Auditing/Logging

This one’s pretty simple. Bad guys want to hide their tracks. They do that by turning off logging so you can’t see what they did. If someone turns logging off or clears logs, it should trigger an immediate response. It’s also a great way for disgruntled administrators to hide what they’re doing.

  1. Privileged and Service Accounts

We all trust our administrators, but they can do the most harm, so we have to watch them closely. When they create, change, or delete privileged accounts, an alert should immediately sound.  Review of privileged account activity on a weekly basis will identify trends or unusual behavior. Failed login attempts and lockouts for these accounts are critical. If you’re allowing shared privileged accounts, monitoring becomes more important. You need to be able to quickly track down who used an account if necessary.

Like privileged accounts, service accounts usually have administrator level access. If these accounts are being used correctly, that’s fine. I like to look for interactive logins for service accounts. That’s usually a sign of a compromised (or improperly used) account. Service accounts are meant to be used by systems, so only systems should be using them. It’s easy to lose track of these too, so detecting creation and baseline the activity is critical.

Create a (Healthy) Culture of Paranoia

Security teams should be transparent in what they’re doing. None of this should be secret, and everyone should know they’re being watched all the time. Users that know security is watching tend to behave a little better (hopefully). I highly recommend SIEM technology that’s scalable, easy to use, and can seamlessly connect with different technologies. Then, take the time to set the logging correctly on devices and create alerts for suspicious activity. Follow all this up with weekly meetings to review activity for anomalies. Once these processes are up and running, the effort becomes minimal to maintain them.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}