It never ceases to amaze me that despite all the various security articles published daily about either an external attack or insider threat, there are still companies out there who aren’t doing their due diligence when it comes to leavers. A leavers policy should be agreed upon by IT and HR (among other departments), but more importantly, actioned.

Not surprisingly, had basic threat detection rules been pre-configured with alarm notifications, along with UEBA, this would have alerted the internal SOC (assuming the Canadian Pacific Railway has one) at the first sign of malicious activity, as opposed to the two days it took them to notice something had gone wrong. Auto-remediation via SAO would have also made life smoother for all.