What is identity threat detection and response (ITDR)?
Identity threat detection and response (ITDR) is a collection of tools and best practices aimed at defending against cyberattacks that specifically target user identities or identity and access management (IAM) infrastructure.
ITDR complements other common security products associated with threat detection and response, namely the following:
- Endpoint detection and response (EDR).
- Extended detection and response (XDR).
- Network detection and response (NDR).
- Privileged access management (PAM).
Popularized by Gartner beginning in 2022, ITDR comprises threat detection and defense mechanisms, as well as investigation and response capabilities.
As is typical in cybersecurity, ITDR is not meant to work in isolation. Rather, it is a component of a layered or defense-in-depth security strategy. This approach involves multiple security-related organizational policies, user practices and software, as well as security-focused IT infrastructure design, procurement and implementation decisions to boost the organization's defenses and strengthen its ability to quickly respond and recover should an attack succeed.
Additionally, ITDR supports a zero-trust approach to security.
A growing list of software vendors make ITDR products. These products use behavior analysis technologies, cyberthreat intelligence, threat detection mechanisms, identity governance and administration, and more to build security defenses around identities and IAM infrastructure.
Why ITDR systems are important
The shift from on-premises IT to cloud computing and, later, the work-from-anywhere movement made management of user identities a critical security task.
Cloud-based systems enable employees, business partners, customers and other entities to access an organization's systems from anywhere -- once they've verified their identities. This is why identity is sometimes called the new perimeter in IT and cybersecurity. Identity has replaced the old perimeter, which was the boundary that divided an organization's own IT infrastructure from the outside connected world.
Not surprisingly, identity's increased importance makes it a target for the bad actors seeking to infiltrate enterprise systems and exploit identity-related vulnerabilities.
The "2024 Trends in Securing Digital Identities" white paper from nonprofit Identity Defined Security Alliance found that 90% of organizations experienced at least one identity-related incident in the prior year. It also found that 84% of identity stakeholders that experienced such an incident suffered a direct business impact, up from the 68% who reported as much in the 2023 survey.
What further complicates identity protection is the growing complexity of the modern IT environment. A typical organization has multiple cloud providers hosting its software, multiple cloud-based software-as-a-service providers, some on-premises applications and possibly legacy tech. Plus, most large organizations still use legacy Active Directory systems to manage identities.
This sprawl creates challenges for security professionals who are asked to monitor identities, pinpoint risks, be alert to identity-centric threats and investigate identity-related incidents. ITDR products are designed to lessen such burdens.
How ITDR works
ITDR relies on processes, procedures and technology tools, which use analytics, artificial intelligence, machine learning and automation.
ITDR is intended to do the following:
- Provide centralized visibility and control over all assigned user identities and privileges within the enterprise via its ability to understand the permissions, configurations and connections between user accounts.
- Analyze an organization's processes to determine whether protections are in line with the level of acceptable risk the business has set for itself.
- Generate insights into possible attack scenarios, such as how an attacker could use a compromised credential to move between systems within the organization.
- Implement security controls and policies aligned with the principle of least privilege.
- Identify and examine suspicious activities in the authentication process by using threat intelligence and advanced detection techniques.
- Monitor continuously for threats.
- Initiate defensive measures when a threat is verified.
- Investigate incidents.
Types of identity-based vulnerabilities and threats
Organizations face numerous types of attacks that exploit vulnerabilities within the enterprise and/or use specific strategies to gain illicit access.
Identity-based vulnerabilities sometimes involve unmanaged identities, such as those that other security tools miss. This can happen, for example, when an identity associated with a legacy application is incompatible with a modern PAM system. Other vulnerabilities result from misconfigured identities, such as nested identity groupings, those that improperly allow interactive logins and those with missing encryption. Exposed identities are ones that escape the control of the user and the enterprise, such as those stolen or compromised by attackers through a phishing campaign.
When bad actors exploit such vulnerabilities or otherwise craft an identity-based attack, they might engage in privilege escalation. This is where attackers seek increasing levels of access and administrative rights.
In credential stuffing, attackers use stolen or compromised credentials for one system to gain access to other systems via automated, large-scale login attempts.
With social engineering tactics, attackers trick others into sharing user information and/or other sensitive data.
Features and capabilities in ITDR tools
Although ITDR is a cybersecurity discipline, an ITDR approach is enabled by software -- and, more specifically, a category of products. These software products typically include the following features and capabilities:
- Policy and configuration identification and analysis.
- Identity discovery.
- Attack path management and impact analysis.
- Risk scoring and prioritization.
- Remediation identification and prioritization.
- Real-time monitoring for and alerts to indications of an identity-centric compromise.
- User and entity behavior analytics to detect anomalies.
- Dashboards to provide a consolidated view of alerts, reports and incidents.
- Integration with other security applications, including security information and event management systems and security orchestration, automation and response systems.
- Automated incident investigation and response.
IAM vs. ITDR
Despite the similar focus on identities, ITDR and IAM serve different functions.
Identity and access management refers to the processes and technologies that manage identity. IAM helps ensure that an organization appropriately controls identities and grants only the appropriate level of access to systems for each identity.
ITDR, meanwhile, offers oversight of the IAM function, as well as other identity-related functions and capabilities. It does not supplant IAM, which remains an absolute requirement for any organization seeking to ensure that only authorized users access its IT environment.
Tips for choosing and implementing an ITDR system
Security teams can pick from an increasing number of ITDR products. As with any software selection, security chiefs should evaluate ITDR vendors and products to determine which offer the needed features, capabilities and service levels at a price that works with the organization's budget. Decision-makers should consider their existing IT environment, upcoming IT projects and the threat landscape to ensure they select a product that works with what they have in place now, as well as what they will have in place in the future.
To optimize whichever tool is chosen, security teams should remember that ITDR is a framework, not just a piece of software. As such, they need to integrate both ITDR practices and ITDR software into their overall security program.
Attention to change management is important, too. Security teams need training for both the new ITDR software and new ITDR-infused workflows.
