When are concurrent sessions considered indicators of compromise?

Concurrent sessions can be considered indicators of compromise when they occur in two different locations at the same time because this behavior is unusual for most legitimate user activities. Normally, a user will only be logged into a system from one location at a given time. If a user's account is being accessed from two disparate geographic regions simultaneously, it suggests that the account may have been compromised, as it would be difficult for a legitimate user to physically be in two places at once without some form of travel.

This situation raises red flags for security teams, as it could indicate various malicious activities such as credential theft, where an attacker gains unauthorized access using valid credentials. Monitoring for these types of anomalies is a crucial part of detecting potential security breaches and taking appropriate actions to mitigate risks.

In contrast, concurrent sessions from the same user account occurring at the same time in the same location or at different times do not necessarily indicate compromise and could be justified by legitimate scenarios, such as a user accessing services from multiple devices or sessions opening and closing at different times under normal circumstances.