Defenders who want to proactively protect their company’s identities have no shortage of security tools to choose from. There are so many, in fact, that it seems like a new category of tool is invented every few months just to help keep them all straight.
Because most security teams are finding it increasingly difficult to stop attackers as they use identity vulnerabilities to escalate privilege and move laterally across their organization’s IT environment, some of today’s newest tools focus on this middle part of the attack chain. Endpoint detection and response (EDR) and extended detection and response (XDR) are two tools that claim to cover this specialized area of defense. But unfortunately, because of their fundamental architecture and core capabilities, that’s not really what they do best. That’s why a new category of tool—identity threat detection and response (ITDR)—is emerging to fill the gaps.
In this blog post, we’ll explain the difference between EDR, XDR and ITDR so that you can understand how these tools complement and reinforce each other. They each have strengths, and when they're combined they provide even better security coverage. But first, let’s rewind the cybersecurity evolution timeline back to the 1980s to understand why ITDR has emerged as a critical defense measure in today’s threat landscape.
The rise of antivirus software and firewalls
We’re starting in the 1980s because that’s the decade that saw the advent of computer networks and the proliferation of personal computers. It also saw the rapid rise of new threats due to adversaries taking advantage of both trends.
There were notable computer threats prior to this decade, of course. The “Creeper” self-replicating program in 1971 and the ANIMAL Trojan in 1975 are two examples. But the pace of development picked up considerably during the 1980s as personal computing and computer networking spread, and bad actors and other mischief-makers sought to profit from or simply break into (or break) devices and systems.
In 1987, the aptly named Bernd Robert Fix, a German computer security expert, developed a software program to stop a virus known as Vienna. This virus destroyed random files on the computers it infected. Fix’s program worked—and the antivirus software industry was born. However, while early antivirus tools were useful, they could only detect and remove known viruses from infected systems.
The introduction of firewalls to monitor and control network traffic is another security advancement from the decade. Early “network layer” firewalls were designed to judge “packets” (small chunks of data) based on simple information like the source, destination and connection type. If the packets passed muster, they were sent to the system requesting the data; if not, they were discarded.
The internet explosion—and the escalation of cybercrime
The late 1990s and early 2000s witnessed the explosive growth of the internet as a key business platform, kicking off an era of tremendous change. It brought new opportunities but also many new security risks and threats.
Cybercrime expanded and became a more formalized and global industry during this time. Bad actors focused on developing malware and other threats. Email with malicious attachments and crafty social engineering strategies quickly became favorite tools for adversaries looking to distribute their innovations and employ unsuspecting users in helping to activate their criminal campaigns.
As cyberthreats became more sophisticated, defenders evolved traditional detective security tools to feature:
- Signature-based detection to identify known malware
- Heuristic analysis to detect previously difficult to detect threats based on suspicious behavioral patterns
All of these methods were effective to a degree. But once again, they could not keep in step with cybercriminal innovation and tended to generate a lot of false positives and false negatives.
Enter the SIEM
Around 2005, security information and event management (SIEM) tools emerged to enhance the ability of security teams to detect and respond to security incidents. A SIEM tool is a hybrid of security event management (SEM) and security information management (SIM). It can aggregate and analyze log data from various sources across a network to identify potential security incidents.
SIEM tools can provide a critical layer of protection to a company’s digital ecosystem by offering real-time visibility, advanced threat detection and response, compliance management and more. However, they also have their limitations, especially when it comes to dealing with the sheer volume and complexity of modern cyber threats.
And that brings us to our discussion of EDR and XDR, two cybersecurity approaches that offer more comprehensive detection and response than SIEM systems and other methods can.
What is EDR?
Former Gartner analyst Anton Chuvakin is credited with coining the term endpoint detection and response (EDR) in 2013. He used EDR to describe the tools used to detect and investigate activities on individual endpoints like desktops and servers.
The primary goal of EDR technology is to provide real-time visibility into security relevant activities on endpoints while offering continuous monitoring for potential threats. EDR systems analyze data collected from various sources to identify suspicious behavior patterns or indicators of compromise (IoCs). Once they detect something is amiss, these systems can enable rapid response actions. For instance, they can isolate affected endpoints before the attacker moves laterally.
EDR technology offers threat response tools that help security teams to:
- Monitor endpoint activities, including collecting data on processes, network connections and file changes
- Detect threats using multiple analytic techniques
- Investigate incidents more efficiently
- Respond to detected issues by providing forensic information and enabling containment and isolation of affected endpoints
EDR tools have evolved over the past decade to help businesses keep their networks safe from a wide range of threats. However, these tools are limited in that they generally identify threats through the use of signature-based and behavioral detection.
What is XDR?
XDR stands for extended detection and response. A concept that emerged only a few years ago, XDR refers to tools that can integrate multiple security datasets into a single platform. XDR integrates and correlates data from various security components like endpoints, networks, cloud services and applications. As a result, XDR can provide enhanced detection and response visibility across an entire environment.
The goal of using XDR for cybersecurity is to gain a more comprehensive and unified view of security threats. The outcomes are improved threat detection, investigation and response. XDR also enables faster identification of complex cyberattacks that may span multiple layers within an IT environment.
However, like EDR, XDR tools can struggle to keep pace with attackers’ fast-changing tactics and techniques. Notably, EDR and XDR can work together and some would say that XDR is an evolution of EDR. If you complement EDR and XDR with ITDR, you will boost your defenses significantly.
What is ITDR?
ITDR, or identity threat detection and response, is a new security category also coined by Gartner that can be viewed as adjacent and complementary to security tools like:
- EDR
- XDR
- Network detection and response (NDR)
- Directories, such as Active Directory
- Privileged access management (PAM)
ITDR solutions don’t replace existing threat detection and response systems, like EDR and XDR. Rather, ITDR tools complement them—they fill the gaps that these other systems can’t close.
An ITDR system will continuously scan your endpoints, both clients and servers, identity repositories and PAM systems looking for unmanaged, misconfigured, over-privileged and otherwise vulnerable identities. With this data it gives you bottom-up and top-down views into your unique identity risks. You can then use this data to remove key attack pathways to your crown jewels that threat actors can use to install ransomware and steal data.
ITDR also gives you a proven way to catch attackers in the act of trying to escalate privilege and to move laterally. ITDR systems plant many types of deceptive content, or trip wires, throughout your environment that only a threat actor would interact with. As soon as they do, you get an alert with key forensics so you know exactly where to find them and what to do about it.
The need for ITDR
An ITDR supported approach to identity security is critical in a world where identity is the new security perimeter. Why is identity the new perimeter? Consider this: Even if networks, endpoints and all other devices and applications are well secured, an attacker only needs access to one privileged account to compromise a company’s IT resources. Identity-based attacks are incredibly common. According to one study, 84% of businesses experienced an identity-related breach in the past year.
With ITDR, your security teams are better positioned to prevent and detect identity-based attacks in the middle of the attack chain, where privilege escalation and lateral movement dominate.
Benefits of ITDR
Threat actors will start their campaigns by targeting your people through attacks like credential phishing. And once they compromise an account—an identity—they can get inside your environment and use that identity to move laterally and achieve their objectives.
The top benefit of ITDR is that it can help you break the middle of the attack chain. As this post explains, the robust controls in an ITDR solution can help you stop attacks before they can become major incidents.
ITDR provides you with a host of robust security controls that help you protect the middle of the attack chain. It helps you to:
- Detect, investigate and respond to account takeovers quickly
- Stop privilege escalations
- Identify and halt lateral movement
- Reduce the attack surface before the threat actor arrives
Moving to an ITDR approach
If you already have strong identity and access management measures in place—like PAM and multifactor authentication (MFA)—you are in a strong position to use ITDR tools.
As you think about adopting ITDR, you should consider your current strategy for keeping your identities safe. And ask yourself how ITDR tools will help improve your processes. Here are some tips for moving to an ITDR approach:
- Find your vulnerable identities. You should look for potential identity vulnerabilities in these three categories: unmanaged, misconfigured and exposed.
- Monitor for identity threats. You need to continuously monitor for suspicious user activity. One way to do this is to integrate ITDR tools with your existing SIEM system.
- Create a plan. Make sure your incident response plan includes a plan for responding to identity-based threats. For example, what is the response if user credentials are stolen?
- Train your users. It’s important for your security awareness program to teach users how to identify and respond to identity-related threats, like credential phishing.
What’s next?
It’s no longer enough to simply make sure that the users who access your systems and data are legitimate. A proactive defense against identity-based threats is a key part of the future of cybersecurity. That’s where ITDR can help. ITDR introduces a new class of tools and best practices to protect and defend identities. It also expands the possibilities for businesses that want to better protect their identities. It can make your company’s security posture exponentially stronger.
The days of locking the door to a computer room and calling the assets inside that perimeter “secure” have long since passed. With ITDR to complement other vital defenses like EDR and XDR, there’s a strong chance that defenders can once again get the edge on bad actors—and keep them out of places where they aren’t welcome.
Ready to boost your defenses with ITDR?
Proofpoint provides a comprehensive ITDR solution to help you discover and remediate identity risks and detect and respond to active threats. Our solution can also help you stop attacks earlier because they enable you to set a large maze of real-looking traps across your environment that only attackers will interact with.
The Proofpoint Identity Threat Defense platform includes:
- Proofpoint Spotlight, which can help your business to discover and remediate identity vulnerabilities before attackers find them
- Proofpoint Shadow, which uses modern deception technology to help you detect and stop attackers before they can cause significant damage
Learn more about how Proofpoint can help improve your security while making the most of other critical tools like EDR and XDR.