08/05/2024 | News release | Distributed by Public on 08/05/2024 04:38
Gartner listed identity threat detection and response (ITDR) among its top security and risk management trends for 2022 and beyond - and study after study keeps verifying the importance of an effective ITDR strategy. For example, the Identity Defined Security Alliance (IDSA) revealed that more than 90% of the organizations it surveyed suffered an identity-related attack in 2023, and a 2024 IBM report found that attacks using stolen credentials increased by 71% year over year.
To help your organization defend against identity threats, this article provides an in-depth guide to ITDR, including the key capabilities to look for when evaluating candidate tools.
ITDR is not a single process or piece of software. Rather, it is a framework focused on detecting and responding to suspicious activity related to identities, such as privilege escalation attempts and repeated failed logons. Accordingly, an effective ITDR strategy involves using a combination of processes, tools and policies to protect identities and the systems that house them.
ITDR doesn't replace other core security disciplines like privileged access management (PAM), vulnerability scanning and data loss prevention (DLP). Rather, it is a another layer of security that complements your existing tools and processes.
A comprehensive ITDR security system includes three core functions: identity monitoring, threat detection and incident response.
Continuous monitoring of identities and their activity is essential to spotting and thwarting threats. A solid ITDR system will establish baseline of the normal behavior of each identity, typically using technologies like machine learning (ML) and artificial intelligence (AI) to analyze past activity and uncover patterns. It will then watch user activity, looking for any aberrant actions that could indicate that the account is being misused by its owner or has been taken over by an adversary.
In addition to monitoring the activity of users, an ITDR system needs to carefully track all activity around the identities themselves, such as any expected creation of accounts or granting of new privileges to existing accounts.
All this monitoring needs to happen in real time so that the organization can be alerted to threats in time to respond effectively and prevent serious damage.
A modern IT ecosystem is bursting with activity, and not every anomalous event is a threat. For example, multiple unsuccessful login attempts could be an adversary trying to breach the network - or simply the legitimate account owner struggling to remember or correctly type their password.
To avoid overloading security teams with alerts, ITDR solutions need to accurately identify true threats and weed out false alarms. To do this, they normally rely on user behavior analytics (UBA) to compare current activity to the established baseline of normal behaviors for the identity. For example, UBA can determine that a user is not only accessing sensitive data but doing so at an unusual time or from an unexpected location, which means the activity is more likely to be a true threat. This analysis feeds risk scoring, where the tool assigns each anomaly a number that represents its potential of becoming a security threat.
ITDR solutions facilitate response to threats in multiple ways. They often provide dashboards and reports that display potential threats and their rankings, and offer real-time alerts that notify security teams about high-risk activity by email, text or other channels.
In addition, most advanced ITDR systems can respond to some threats automatically: Security teams build response playbooks that define threat indicators and the actions to be triggered in response. Examples of these actions include:
While ITDR has always been important, several modern realities make it absolutely essential today. They include the explosion in remote work, increasingly strict compliance mandates and the rapidly evolving threat landscape.
Remote and hybrid work has become common in recent years. While this shift offers a wealth of benefits like increased productivity and cost savings, it has also introduced a new cybersecurity risk: Traditional access management and security controls like network firewalls are simply no longer sufficient for a strong cybersecurity posture. Instead, organizations need to layer on robust identity threat detection and response strategies to prevent, detect and respond to identity-based threats.
Many organizations today must comply with strict regulations for controlling access to sensitive data. While mandates like the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) have been around for years, new laws are constantly being added. For example, the General Data Protection Regulation (GDPR) has broad reach and violations can result in extremely hefty fines, and similar data privacy laws are being introduced by other national and state governments.
An effective ITDR strategy is essential for achieving, maintaining and proving compliance with many regulations because ITDR helps organizations effectively manage access to regulated data, including financial transactions, medical records and customer information.
Identity-related cyberattacks have increased in recent years, and adversaries are using more sophisticated tactics and techniques. Moreover, there are now open-source tools and even services available that enable less technical threat actors to discover weak points in an organization's defenses and launch targeted attacks.
ITDR can help organizations mitigate their risk from these rapidly evolving threats. For example, it can help them block, detect and respond to social engineering attacks like phishing scams, in which hackers manipulate or trick users into giving them confidential information such as their credentials. ITDR can also help organizations spot and shut down credential stuffingattacks, which use automated tools to try to log on using stolen credentials.
When assessing identity threat detection and response tools, be sure to check for the following features:
Organizations worldwide are recognizing the importance of ITDR. In fact, 75% of security personnel now leverage ITDR-based security tools, according to a 2024 report from Anomali. However, integrating ITDR with other security systems remains a challenge. Gaps often stem from disparate data sources, inconsistencies across security layers and varying levels of identity management maturity. Malicious actors can exploit these gaps to gain unauthorized access, evade detection and compromise critical systems.
The market is responding. Emerging trends that can enhance ITDR effectiveness include the following:
ITDR is an essential component in any security strategy, and like other components, it isn't a one-time task. As your IT environment and the threat landscape evolve, you must continuously assess the effectiveness of your tools and processes and stay on top of ITDR best practices.
Partnering with an experienced provider like Netwrix is critical to success. Netwrix offers a suite of ITDR products that will help you secure your core identity system, Active Directory. In particular, Netwrix Auditor will continually monitor activity across your IT environment, detect threats, and facilitate quick response. It will also help you prepare for compliance audits and answer ad-hoc questions from auditors in minutes.
Ready to take identity threat detection and response to the next level? Request a free trial today.
Identity threat detection and response (ITDR) is a framework that focuses on detecting, identifying and responding to threats to the security of identity management systems and infrastructure.
ITDR is sometimes confused with endpoint detection and response (EDR) because both disciplines are focused on detecting and responding to threats. However, ITDR and EDR play different roles in a broader cybersecurity strategy, as outlined in the table below:
ITDR | EDR | |
Focus | Protects user identities and access management systems | Protects endpoint devices like desktops, laptops and servers |
Data Collected | Data related to user identities, including identity creation, changes to user privileges, user access patterns, and real-time user activity such as login attempts | Data from endpoints, including system logs, file modifications, process activities, network connections and application behavior |
Main Threats Addressed | Credential theft, phishing and other social engineering attacks, suspicious access, privilege escalation | Malware, ransomware, zero-day exploits, fileless attacks, system vulnerabilities |
Incident Response Actions | Revoking access, alerting administrators, initiating forensic investigations and enforcing security policies | Isolating endpoints, removing malware, blocking malicious activity and restoring systems |
ITDR focuses on detecting and responding to identity-related threats. Extended detection and response (XDR) is more comprehensive, offering threat detection and response across multiple security layers.
Managed detection and response (MDR) is a service, rather than a security framework like ITDR. It combines people, tools and processes to provide threat detection and response as a managed service.