All of the biggest data breaches, judged either by number of records breached or the importance of the data stolen, have involved attackers leveraging stolen user credentials to gain access. In many cases, the credentials were phished from a company or government agency employee, meaning an employee clicked on a planted link and unknowingly handed over his or her credentials. These attackers went on to impersonate employees, escalate privileges and, in some cases, create highly privileged phantom user accounts.
Most enterprises and government organizations that experience data breaches have traditional security point solutions, log management, and security information and event management (SIEM) solutions in place. However, SIEM is not a comprehensive solution on its own. There has been a great deal of focus on the attack-chain – or kill-chain – of steps in the process leading to these breaches.