This is a personal blog and all content herein is my personal opinion and not that of my employer.
Introduction
Modern enterprise security is built on a simple idea: keep the bad guys out. But what happens when the “bad guy” is already inside–riding a legitimate session, holding a real token, operating within a trusted identity?
This post explores a growing gap in how we approach security: the imbalance between inbound controls (getting in) and outbound oversight (what happens next). It’s a conversation I’ve had with other researchers lately, and one that deserves more attention.
The Identity Inversion
Most of our controls today–Conditional Access, MFA, device compliance, session tokens–are designed to validate who you are and whether you’re allowed in. These are important signals. But attackers no longer care about breaking doors down. They just walk in behind someone else.
Once inside, they use:
- Legitimate tokens
- Valid user sessions
- Devices marked as “compliant”
- APIs and services designed to trust the identity context
From that point on, most traditional controls become irrelevant. They’re in, and now they’re just doing what users do.
The Problem: Inbound Bias
Security programs tend to overweight the authentication moment. Everything hinges on it:
- Conditional Access policies
- Network restrictions
- Device trust models
- Risk-based sign-in decisions
But this leads to two false assumptions:
- If access was granted, everything is fine.
- If we stop attackers from getting in, we’ve won.
Neither are true.
Attackers don’t need to break authentication if they can steal a token or session. And once in, they’ll:
- Read emails
- Exfiltrate SharePoint or Teams data
- Abuse automation tools
- Laterally move via access granted to the user
All within the boundaries of the trusted session.
The Shift: From Gatekeeping to Flow Awareness
It’s time to shift focus from just getting in, to what happens next.
This doesn’t mean access controls don’t matter–they absolutely do. But they’re not enough.
We need to complement them with:
- Outbound policy enforcement (e.g., restricting what data can leave, or where it can go)
- Behavioral anomaly detection (e.g., “this user never downloads 5GB from SharePoint”)
- Session-level analytics (e.g., tracing what users do after logging in)
- Real-time DLP and insider threat controls (e.g., blocking confidential data uploads to personal storage)
And more importantly: treat every session as potentially compromised, not just every sign-in.
Identity Is the New Network. Context Is the New Firewall.
We used to segment by IP ranges and VLANs. Now we segment by identity, device state, and risk posture.
But segmentation means nothing if the context can be hijacked.
Attackers today live inside:
- M365 tenants
- Entra ID sessions
- Cloud PCs
- Dev environments
And they don’t need malware. They need a token and a purpose.
So while we work on strengthening sign-in protections, device compliance, and Conditional Access, we also need to:
- Watch what users do
- Understand the intent behind the action
- Interrupt the session when the behavior doesn’t match the context
Because if the first 10 minutes of the session look normal, but minute 11 looks like exfiltration–it should matter.
Conclusion
The future of enterprise defense isn’t just about stopping people from getting in. It’s about understanding what they do once they’re in.
If your security program assumes the job is done after authentication, it’s missing half the picture.
It’s time we invest just as much in activity visibility, intent modeling, and outbound enforcement as we do in gates and guards.
Because the next attacker? They’re already through the door. They’re just deciding what to take next.
Thanks for reading. Comments welcome below.