Monitoring and Least Privilege (Domain 2)
In this episode, we are focusing on two essential security practices: monitoring and least privilege. Monitoring helps you detect and respond to threats early, while least privilege helps you prevent those threats from having serious impact if they do get inside. These practices are not just theoretical—they’re real-world defenses that reduce risk and strengthen incident response in every environment.
Let’s start with monitoring. At its core, monitoring means observing systems, networks, and user activity for signs that something unusual—or outright malicious—is happening. The earlier you detect abnormal behavior, the faster you can contain and eliminate the threat. Modern attacks often start with small indicators: a failed login, an unusual data transfer, or an unknown process running in the background. If you’re watching closely, you can stop an attack before it spreads.
Continuous monitoring means collecting data in real time and using automated tools to analyze it. This includes tracking login events, network traffic, system health, user activity, and more. Without monitoring, you’re flying blind—unable to tell whether your defenses are working or whether a breach has already occurred.
Security Information and Event Management systems, or SIEM platforms, are one of the most effective ways to monitor large environments. A SIEM collects logs from multiple sources, correlates events across systems, and raises alerts when suspicious patterns are detected. For example, a SIEM might notice that a user account just failed five logins in a row, then suddenly logged in successfully from a different country. That pattern—by itself—may not trigger alarms, but when correlated with other behavior, it becomes a red flag.
Log analysis is another crucial monitoring technique. This involves reviewing system and application logs to spot signs of compromise, such as unauthorized access, process anomalies, or configuration changes. While automated tools help with scale, manual log reviews still play a role—especially during incident response or compliance audits.
Case examples highlight the value of monitoring. In one case, a bank’s SIEM detected repeated failed logins on several administrator accounts. Because the system was being monitored in real time, the security team locked down access and found that the source was an external IP address launching a brute-force attack. No accounts were breached, and no data was lost—because the team had visibility into what was happening.
Now let’s turn to least privilege. The principle of least privilege is simple: users and systems should only have the minimum permissions needed to perform their job functions. If someone doesn’t need administrative access, they shouldn’t have it. If a system only needs read access to a file, it should not be allowed to write to it.
By limiting access, you reduce the damage that can be done if an account is compromised. An attacker who takes over a standard user account may be able to view basic data—but they won’t be able to install software, access sensitive files, or alter configurations. That delay gives defenders time to respond and limit exposure.
There are several methods to implement least privilege. Role-based access control assigns permissions based on job function. For example, someone in the Human Resources department might have access to employee records, but not to financial systems. Just-in-time access is another strategy. It allows users to temporarily elevate their privileges only when needed—and only with approval. Once the task is complete, privileges are revoked automatically.
Another approach is to separate duties. This means splitting sensitive tasks between multiple people. For example, the person who approves financial transactions should not be the same person who initiates them. This prevents a single user from executing fraudulent actions alone.
Examples of privilege abuse are common in data breach reports. In one case, a disgruntled employee had retained administrative access after moving to a different role. He used those privileges to exfiltrate sensitive data before leaving the company. The breach could have been prevented if access had been reviewed and adjusted according to the new role.
In another incident, malware installed on a low-level workstation was able to spread across the entire environment because the infected system had unnecessary network access and local administrator rights. The infection escalated quickly, but the root cause was poor access control—not advanced malware.
To enforce least privilege, organizations should regularly audit user permissions, enforce role-based policies, and monitor for privilege escalations. Systems should be configured to log every access attempt—successful or not—and security teams should review access reports for abnormalities.
As you prepare for the Security Plus exam, remember that monitoring gives you the ability to detect and respond, while least privilege limits what an attacker can do if they break in. Expect questions that describe behavioral anomalies, unexplained access, or account misuse—and be ready to identify the indicators and propose monitoring or privilege-based mitigations. Focus on the why as well as the how, because understanding the intent behind these controls is just as important as deploying them correctly.
