Traditional security focused on building stronger walls to block external attacks. However, increasingly, modern attackers no longer bother breaking in. They stroll unquestioned through the front door, flashing legitimate credentials obtained through sophisticated phishing and social engineering.
1
Why have credentials become your perimeter?
AI-generated voices, deepfake videos and carefully crafted emails now fool even security-aware staff; credential compromise can happen despite training and awareness programs. It’s no longer fair to blame users.
Add to this the reality of password fatigue – staff reusing passwords across systems, sharing credentials for convenience or choosing simple passwords that are easier to remember – and you have credentials that are vulnerable even when perimeter defences remain strong.
Once attackers have valid credentials, they bypass perimeter security entirely. Your strongest firewall can’t stop someone with legitimate access from walking through.
The security perimeter has shifted from network boundaries to identity itself.
2
What tools can monitor credential activity?
Protecting this new perimeter means monitoring how credentials are being used and detecting suspicious authentication patterns.
Tools like Microsoft Entra ID P2 monitor authentication activity, flag anomalies and detect suspicious patterns. Even when sophisticated phishing emails bypass mail filters or malware evades endpoint protection, credential monitoring provides an additional safety net. It detects logins from unusual locations, authentication attempts outside business hours, impossible travel where the same account appears in different countries within minutes and suspicious token binding activity.
Many organisations already have access to these capabilities through Microsoft 365 E5 licensing. The gap is configuration – setting up these tools properly to generate meaningful alerts. Too many organisations have credential monitoring capabilities sitting unused or misconfigured, leaving them protected on paper but vulnerable in practice.
These systems generate alerts whenever suspicious authentication activity occurs. But that’s only half the solution.
3
Who's watching and responding when alerts are triggered?
Australian organisations generate thousands of security alerts through their credential monitoring systems – proof that the detection works. However, when alerts trigger outside business hours – precisely when attackers know most organisations have limited or no security monitoring – there’s often nobody watching, triaging or responding. Hackers understand that evenings and weekends offer the widest window for undetected activity.
Security teams working standard 8-5 hours simply can’t act on alerts that occur on evenings and weekends. The systems detect the threat and send the alert, but without 24/7 monitoring, the warning goes unheeded until the next business day. By then, attackers have already moved laterally through the network, escalated privileges and accessed sensitive data.
It’s a question that sometimes comes up while at a Sunday BBQ: “Who is monitoring your alerts right now?”
Making credential monitoring effective
Credential monitoring tools generate alerts, but the value comes from what happens next – continuous monitoring and clear response protocols when suspicious activity is detected.
A 24/7 Security Operations Centre (SOC) provides the monitoring layer that most organisations lack. When Entra ID P2 flags unusual authentication patterns – logins from unexpected locations or access attempts outside regular hours – trained analysts triage the alert in real time, determine whether it’s genuine or malicious, and act before attackers move laterally through your network.
Response speed matters. The difference between containing a credential compromise in minutes versus hours can determine whether an incident remains a blocked login attempt or becomes a full breach. This is where a 24/7 SOC with defined runbooks becomes essential – predefined protocols that specify the actions analysts can take when specific alerts are triggered.
Runbooks typically fall into two categories:
- Immediate protective action: If an executive account shows authentication attempts from multiple countries within minutes, the runbook authorises analysts to suspend the account and reset credentials immediately – what we call pressing the big red button.
- Escalation protocols: For critical systems where blocking access could disrupt business operations, the runbook defines who should be contacted, how quickly and what information they need to make informed decisions.
Three practical checkpoints for credential security
- Configure: If you have Microsoft 365 E5 licensing, verify that Entra ID P2 is properly configured to monitor authentication patterns, enforce conditional access policies and generate alerts for suspicious activity.
- Monitor: Determine whether you have 8×5 or 24×7 coverage. If alerts go off outside business hours with nobody watching, your detection capability is dormant for 128 hours every week.
- Respond: Review your response protocols. Do you have runbooks that define what actions can be taken for different alert types? Are escalation paths clear? Do you know your mean time to detect and respond to credential compromises?
Credential security follows the same logical progression as Nexon Cyber’s broader framework: get protected (configure protection), stay protected (monitor and respond) and don’t get caught out (assess and optimise).
Mathew Boulenaz is Cyber Security Pre-Sales Lead at Nexon Asia Pacific. For more information about credential monitoring, SOC services and assessing your security posture, contact us at nexon.com.au/nexon-cyber
More articles to explore
