Identity Threat Detection & Response (ITDR): What You Need To Know

identity threat detection and response portnox

Leading research firm Gartner has highlighted Identity Threat Detection and Response (ITDR) as one of the top cybersecurity trends of 2022, along with digital supply chain risk, attack surface expansion, and others. But what exactly is ITDR, and why is it important for organizations in 2022 and beyond? 

What is Identity Threat Detection & Response? 

In simple words, identity threat detection and response is a new security category focused on detecting credential theft, privilege misuse, unapproved entitlements, and other identity-related threats and vulnerabilities.  

While other cybersecurity tools play a role in identity threat management, there’s been a marked rise in cybercriminals targeting identity and access management (IAM) infrastructure in recent years. As a result, Gartner felt creating this new category would help organizations sharpen their focus and be better positioned to access the best tools and practices to defend their identity systems. Or in other words, identity-based attacks have become such a common cybersecurity threat that a dedicated and laser-focused approach to combating them is needed.  

The Case For ITDR    

Today’s cyber threat landscape is more severe than ever before. With organizations rapidly shifting to remote working and public cloud adoption, the traditional network edge effectively no longer exists. This means companies must shift their security posture to focus on identities over devices.  

 At the same time, identity-based attacks are rising, and this trend shows no signs of slowing down in the foreseeable future. Today, cybercriminals increasingly bypass IAM by leveraging privileged access credentials. Then, they often move laterally across the networks, undetected. They also use this access to exfiltrate valuable data like employees’ and customers’ sensitive personal or financial information.  

The security impact of stolen credentials on identity systems is immense. For example, one study found by Verizon that stolen credentials cause 61% of all data breaches1 

With the current state of the cyber threat landscape, cybersecurity experts are now recognizing that IAM and other related tools are not robust security. For example, Gartner argues that threat actors are “actively targeting access management (IAM) infrastructure,” so we need to develop new ways of protecting that infrastructure. 

As for a high-profile case of identity compromise in action, look no further than the SolarWinds attack of 2020. SolarWinds is a leading software company that provides system management tools for network infrastructure and monitoring to companies worldwide. Hackers inserted malware into signed versions of SolarWinds’s software, which was then used to infiltrate an eye-watering 18,000 organizations. Essentially, SolarWinds’ Orion Platform created a backdoor through which the hackers could impersonate users and accounts of the targeted organizations. The malware also accessed system files and managed to blend in with legitimate activity without detection.  

What Sets ITDR Apart? 

A common question around ITDR is how it differs from other threat detection or identity management systems organizations already use today. Is it more of the same? The simple answer is no, but let’s dive a little further to discover why.  

Existing identity protection tools like IAM, IGA, and PAM focus primarily on authorization and authentication, ensuring that the right people have access to the files and apps they need. In recent years, organizations have spent considerable effort improving these capabilities, adopting increasingly sophisticated software to manage identities and access with authentication.  

In certain cases, IAM can pose a significant security risk when used in isolation – they can become a single point of failure if compromised. This is where ITDR comes in. ITDR is really about segregating these duties so that we can secure our IAM infrastructure and ensure that it’s working as intended.  

And how does ITDR stack up against Endpoint Detection and Response (EDR)? EDR is a layered approach to endpoint protection that unites real-time continuous monitoring and endpoint data analytics with a rule-based automated response. EDR solutions work similarly to ITDR but ultimately focus on different things. Namely, EDR looks for attacks on endpoints, while ITDR looks for attacks on identities.  

They also work differently once an attack has been identified. For example, when an EDR system detects an attack, it isolates the system to limit the hacker’s movement or shuts down the system to stop the hacker in their tracks. By contrast, ITDR systems often add an additional layer of security by providing fake data that acts as a decoy. These solutions can also limit lateral movement through the network.  

However, it’s also true that ITDR solutions may vary depending on the provider. With this in mind, here are the features a solution should have to qualify as ITDR: 

  • It should monitor and detect nefarious identity and privileges activity.  
  • It should detect identity-related misconfigurations, for example, Active Directory misconfigurations, that could lead to compromise. These misconfigurations could be intentional or unintentional, but both are equally damaging.  
  • It should investigate identity threats using contextual user information. The system should be able to detect if a user deviates from their typical activity, for example, accessing the system from an unusual location or downloading files they wouldn’t normally interact with.  

Following detection comes the response. We’ve already covered how ITDR responds to threats in action, but other responses would be removing excessive privileges (and moving towards Least Privilege) and investigating anomalies in privilege usage.  

Final Thoughts 

Identity security should be a top priority for organizations in today’s increasingly hostile cyber threat landscape. Effectively detecting and responding to identity-based threats is essential in a world where cybercriminals are continually bypassing authentication and authorization tools. ITDR plays a crucial role here in protecting our identity systems and keeping cyber criminals out. As a result, we expect to see more organizations investing in ITDR solutions over the coming years.  

Try Portnox CLEAR for Free Today

Gain access to all of Portnox CLEAR’s powerful NAC capabilities for 30 days!