The Network: A mid-sized state university with multiple locations and 30,000 students.
The Expectation: The university library subscribes to expensive publications and bibliographic databases to support its research staff and students. These subscriptions cost several thousand dollars each year. Remote access is governed by EzProxy.
The Catch: EventTracker detected a particular staff user accessing special databases in the library collection at unusual times and in heavy frequency. This usage pattern was inconsistent with normal behavior.
The Find: The user credentials were stolen and being used by a former student from off campus. Classic case of unauthorized access—an outsider masquerading as an insider.
The Fix: Change the user password and continue monitoring usage patterns to seek out inconsistencies.
The Lesson: Remote access to expensive resources, even successful ones, bear watching. Profiling typical usage patterns on high value systems helps out-of-ordinary usage be detected.