3.14.7 — Identify Unauthorized Use of Organizational Systems

This practice is about detecting when someone or something is using your systems in a way that was not authorized -- whether that is an employee accessing data they should not, a compromised account, or shadow IT popping up on your network.

Example 1: Use Microsoft Defender for Identity (formerly Azure ATP) to monitor Active Directory for suspicious behaviors: pass-the-hash attacks, lateral movement, privilege escalation, or reconnaissance activity. It installs sensors on your domain controllers and flags anomalies like a user account suddenly querying all AD objects or authenticating from an unusual location.

Example 2: Implement network access control (NAC) using 802.1X authentication on your switches. Configure a RADIUS server (like Windows NPS) so that only domain-joined, authorized devices can connect to your network. Unrecognized devices get placed in a quarantine VLAN with no access to CUI systems. Review NAC logs weekly for unauthorized connection attempts.

Combine these with the audit logs from SI.L2-3.14.6 to build a complete picture of who is doing what on your network.