What is Identity Threat Detection & Response (ITDR)?
Identity threat detection and response (ITDR) refers to the combination of security tools and processes required to adequately defend identity-based systems. Gartner defines ITDR as “a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools, and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspicious posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”
Despite what some security vendors will tell you, ITDR is a discipline, not a product. ITDR has emerged in recent years in response to the explosion of distributed identities beyond the traditional network perimeter and the resulting massive increase in identity-related vulnerabilities (such as unmanaged, misconfigured, or exposed identities).
This blog explores foundational concepts of identity threat detection and response, why it is needed, and how it aligns to Privileged Access Management (PAM) and identity-based security protocols that are increasingly critical to security mandates like zero trust.
Why do we need ITDR?
We have seen a major shift in the security industry, moving away from perimeter-based security strategies due to the move to cloud and remote work. This has resulted in identity being the new perimeter as malicious actors no longer need to breach a firewall to enter a network, they need to compromise an identity.
Identity-based attacks are on the rise as threat actors seek to exploit the identity sprawl caused by cloud adoption, the proliferation of non-human accounts, and the use of disparate systems to manage identities. These attacks make use of compromised credentials, over-privileged users, and gaps in visibility. Organizations also lack an understanding of which users represent the most risk, making prioritization of mitigations more difficult. Identity-based attacks may exploit hidden attack paths that are harder to detect than traditional code-based exploits.
Identity compromise and misuse is central to almost every cyberattack, in many ways, because distinguishing between how a legitimate user is leveraging an identity and the misuse of that identity by an unauthorized user is nearly impossible. By compromising an identity, a threat actor can essentially impersonate a user to access resources, compromise systems, move laterally, and compromise further identities to gain higher levels of access and privilege.
Attackers have been quick to apply all the well-known ‘land and expand’ techniques to these new environments. They capitalize on the lack of visibility and lack of unified telemetry many organizations experience with regard to cloud/multicloud and hybrid environments. ITDR represents a significant opportunity to redress this imbalance.
Research sponsored by the Identity Defined Security Alliance (IDSA) found that 79% of respondents had an identity-related breach within the past two years, and that 99% of respondents believed their identity-related breaches were preventable. Our own customers tell us that identity-related breaches are, indeed, preventable, but that doesn’t mean this is an easy task for today’s organizations.
The most pervasive factor preventing organizations from effective identity-related risk mitigation is a lack of continuous visibility of identities across all systems, especially on rapidly expanding cloud systems. Even for known identities, there is a lack of understanding around the privileges and entitlements associated with identities. This problem is then compounded by dynamic environments where new users, systems, and integrations are constantly creating new attack paths on top of existing misconfigurations that can mask the activity of threat actors.
Today, we have identity and access management (IAM) tools, which have deep visibility of an account belonging to an identity. However, IAM tools are unable to see the full picture of how this information relates to the disparate systems, access, and privileges that identity has. Then we have security tools, like SIEM and SOAR, that have a breadth of visibility in events across the environment, but which lack the depth of visibility into identities. Attackers increasingly exploit this yawning gap between IAM and security tools.
This is where ITDR comes into play. By combining cyber threat intelligence, detection, investigation, and response in one security discipline, organizations are much better poised to defend their identity infrastructures.
How do Organizations Solve the Problem of Identity-related Risk Today?
Until recently, organizations tried to compensate for gaps in visibility of identities—and the resulting increase of identity-based threats—by deploying endpoint security solutions focused on the detection of malicious code and activity, with less than impressive results. Regardless of the malware or exploit code used, identity compromise, lateral movement, and privilege escalation, are at the heart of most attacks, as the attacker abuses the access and relationships between identities.
These hidden and often unintended relationships between identities provide exploitable attack paths. Without complete visibility and understanding of identities, it is difficult to understand the privileged relationships between users and systems. This, in turn, makes it challenging to fully implement least privilege and just-in-time access models.
Today, organizations grasp the need to identify, eliminate, and audit attack paths in their dynamic, modern IT environments. These are all keys to reducing the attack surface, uncovering unknown risks, and remediating incidents independently from malicious code detection.
How does ITDR Compare to other Cybersecurity Disciplines?
Identity threat detection and response is about protecting credentials, privileges, entitlements and the systems and policies that manage them. As we said earlier, ITDR is a discipline, not a market or product—but we still need to understand where it all fits in the security landscape.
How is ITDR different from EDR and XDR?
Endpoint Detection and Response (EDR) and eXtended Detection and Response (XDR) are complementary products to ITDR and take a similar approach. Both EDR and XDR collect signals across multiple sources, but one focuses on identities and the other on code execution. So, while there are some areas of overlap around elevation of privilege, these solutions diverge in both detection and response. ITDR solutions effectively sit alongside EDR/XDR solutions and complement each other to offer a greater level of protection.
Isn’t ITDR what Identity Governance and Administration (IGA) solutions do—what’s the difference?
Broadly, IGA is focused on user authorization and authentication. IGA has largely concentrated around improving user authentication. IGA works under the premise that it knows who your users are, and it understands what applications or systems those users are authorized to access.
Provisioning and deprovisioning accounts in a directory and managing entitlements to control access is useful; however, it doesn't factor in the relationships between accounts if the privileges are required or collate and analyze identity activity signals from multiple sources. IGA does not have visibility of users who have access to applications and systems granted outside of the IGA solution nor whether those users should have any level of access. IGA is a deterministic tool that manages only known identities and access.
How does ITDR compare to IAM?
ITDR is also differentiated from traditional identity solutions such as Identity & Access Management (IAM), which focus on authentication and authorization. ITDR provides a level of visibility into credential abuse, privilege escalation attempts, and entitlement exposure across all systems that goes far beyond authentication and authorization controls.
How ITDR Works
By focusing on identity signals in real time and understanding the permissions, configurations, and connections between accounts, ITDR can be proactive in reducing the attack surface, while also detecting identity threats. This is not a new concept; tools such as BloodHound already use graph theory to identify weaknesses in Active Directory (AD) configurations that could be exploited by an attacker. The information from this tool can be used to understand likely paths of lateral movement and privilege escalation and shut them down, to improve Active Directory security.
This same concept can be used at scale beyond AD to understand where the attack surface exists across all systems. ITDR can illuminate how an attacker might compromise credentials, privileges, and entitlements to move between on-premise systems into cloud containers and infrastructure. This provides an unprecedented level of visibility into the attack paths that present the greatest risk to the business, and enables these risks to be proactively mitigated.
This newfound level of insights can also be used to triage and respond to attacks in progress by identifying:
- Compromised systems
- Exposed identities
- Where those identities can and have been used
- How to revoke privileges, rotate credentials, and implement other security controls to contain the blast radius
How Privileged Access Management (PAM) fits into ITDR
To effectively protect against identity-based threats, you need both preventative and detective capabilities. A preventative approach discovers and helps remediate gaps before a threat actor could exploit them. These gaps or vulnerabilities encompass unmanaged, misconfigured, or exposed identities and their impact on access to critical systems or resources. This is complimented by detection capabilities that raise an alert the moment the solution detects an identity being compromised or misused. The prevention/detection combination allows you to proactively reduce your attack surface as well as identify attacks.
This will all sound familiar to those who have used Privileged Access Management (PAM) solutions, such as the BeyondTrust portfolio, which provide a comprehensive approach to securing identity and access across all environments in your organization.
BeyondTrust solutions are uniquely positioned to address identity threats and support you in the ITDR discipline, given our view of identities, privileges, and access across an organization. By combining data from across our product portfolio with third-party data from other identity tools, we can take PAM to the next level to provide unprecedented visibility into identity risks and threats.
How Identity Security Insights Will Help You Operationalize ITDR
Identity Security Insights, a new offering from BeyondTrust coming in the fall of 2023, will provide intelligent, actionable analytics your organization can leverage to immediately improve your security posture. It will correlate data from BeyondTrust solutions and third-party tools, such as Okta and Azure Active Directory, to make proactive recommendations as well as detect potentially in-progress attacks.
Identity Security Insights, sitting at the heart of the BeyondTrust's Privileged Access Management platform, will give organizations powerful synergies for prevention and detection of identity and access threats. Click here to learn more.
James Maude, Director of Research
James Maude is the Director of Research at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.
Alex Leemon, Director, Product Marketing
Alex Leemon is Director, Product Marketing at BeyondTrust. She has over fifteen years of experience working with enterprise-level and Critical Infrastructure organizations solving safety and security challenges. Before joining BeyondTrust, Alex served in various roles related to the development of operational technology (OT) products and the Industrial Internet of Things (IIoT).