From IPs to People
Find Threat Talks on
From IPs to People
Detection only works when activity is tied to identity.
Most networks still enforce access and investigate incidents using IP addresses.
But IPs don’t explain intent.
They don’t travel with the user.
And they don’t tell you who actually acted.
As environments become more dynamic – remote work, shared systems, NAT, service accounts – IP-based security stops being reliable. Logs turn into noise. Policies drift. And investigations slow down because teams are forced to guess who was behind the traffic.
Modern firewalls already solve this.
Identity-based firewalling lets you define security policy based on who the user is, not where they connect from.
Host, Rob Maas (Field CTO, ON2IT), talks with Nicholai Piagentini (Technical Enablement Engineer, ON2IT) about why identity is the missing layer in firewall policy – and why detection and threat hunting fail when your logs can’t name the actor.
This episode isn’t about new tools.
It’s about turning on a capability most organizations already pay for – and using it to build stronger network access control, cleaner zero trust firewall enforcement, and better enterprise security decisions.
What you’ll learn
• Why detection fails when logs don’t contain identity
Anomalies don’t tell a story if you can’t tie actions to a person.
• How identity-based policy improves network access control
Write rules around users and groups – not VLANs and subnets that drift.
• Where identity-based firewalling breaks in real environments
Terminal servers, NAT, service accounts, and AD timeouts create blind spots.
• How to start safely without breaking anything
Enable identity for visibility first, validate the data, then tighten policy.
• Why identity logging is now due diligence for enterprise security
Modern firewall features aren’t optional if you want real zero trust outcomes.
Your cybersecurity experts
Nicholai Piagentini
Technical Enablement Engineer
ON2IT
Rob Maas
Field CTO
ON2IT
Episode details
It starts with a familiar situation.
A security team sees activity in the firewall logs:
A download. A login. A data transfer.
But the log only shows an IP address.
Now the response becomes a chase:
Which device was that? Who was using it? Was it a guest, a service account, or a privileged user?
That delay is where risk grows.
Identity-based firewalling fixes the translation problem.
It lets organizations define access based on business reality – Accounting users, HR users, admins – instead of unstable network artifacts like subnets and address objects.
It also upgrades investigations.
Threat hunting becomes faster when you can correlate behavior by user, spot anomalies over time, and understand who is actually acting – not just where traffic came from.
This episode breaks down why teams skip identity-based firewalling (usually “as-is” migrations and fear of complexity), what commonly goes wrong in deployment, and how to roll it out incrementally with low risk.
Host, Rob Maas (Field CTO, ON2IT), speaks with Nicholai Piagentini (Technical Enablement Engineer, ON2IT) about why identity should live at the network layer, how to handle hard cases like shared systems and service accounts, and why “turn it on imperfectly” is still an immediate win.
This episode isn’t about perfection. It’s about stopping guesswork – and moving from IPs to people.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
