Table of Contents
ITDR is short for identity threat detection and response, a new class of cybersecurity solutions that focuses on protecting identity-based systems from cyber threats. ITDR involves a combination of security tools, processes, and best practices to effectively detect and respond to identity-related threats.
Identity has been described as the new vulnerability perimeter because even if a network, endpoint, and all other devices are secured, a cyber-attacker only needs access to one privileged account to compromise enterprise resources. For this reason, Gartner named ITDR one of the top security and risk management trends for 2022.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
What Is a Complete Identity Threat Detection and Response (ITDR) System?
ITDR is a security category that’s adjacent to other detection solutions such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), and Network Detection and Response (NDR). Despite their shared nomenclature, some ITDR capabilities are a broad departure from its EDR and XDR predecessors.
The capabilities of ITDR systems require a more nuanced understanding of why identity deserves its own detection and response category of solutions. In turn, a complete ITDR system includes a comprehensive set of threat intelligence tools and processes designed to protect identity systems, detect when they’re compromised, and enable efficient remediation.
More specifically, an ITDR system may support a combination of the following:
- Configuration, policy, and identity data analysis to assess the security posture of an organization’s active directory environment.
- Attack path management and impact analysis.
- Risk scoring and prioritization.
- Real-time monitoring of runtime behaviors for common indicators of compromise.
- Machine learning or analytics to detect abnormal behaviors or events.
- Automated remediation and incident response.
- Dashboards, alerts, reports, search, and incident management.
- Integration with security information and event management (SIEM) and security orchestration automation and response (SOAR) tools.
- Integration with multifactor authentication solutions to deliver step-up authentication in response to risk events.
- Risk signal sharing with additional modules (for suite providers) and third-party tools.
The emergence of ITDR highlights that identities deserve the same level of management and control that organizations have applied to their hosts, networks, systems, and software – if not more. This is now more important than ever since identities have become the predominant attack vector for cyber-attacks.
Identity and Access Management (IAM) and ITDR
As a more widely-known ITDR predecessor in the cybersecurity landscape, Identity and Access Management (IAM) refers to the processes and technologies used to control user access to information systems and applications. IAM helps to ensure that users have the appropriate permissions and access levels based on their roles and responsibilities. It minimizes the risk of unauthorized access to sensitive data and systems, thereby reducing the risk of data breaches and other cyber-attacks.
ITDR takes a more complete approach to detect, respond to, and mitigate security threats related to user identity and access. IAM is an integral component of ITDR as it establishes the framework for controlling and monitoring access to sensitive information. In creating an adjunct between IAM and ITDR systems, the most effective cybersecurity strategies include a combination of the following:
- Multifactor authentication: MFA requires users to provide more than one form of identification to access a system or application. For example, a user may be required to provide a password as well as a 6-digit PIN sent to their personal device to access sensitive information.
- Role-based access control: As a fundamental component of IAM, role-based access control involves assigning access levels to users based on their roles and responsibilities. For example, a junior employee may have limited access to sensitive data, while a senior executive may be granted wider permission to access more data.
- Privileged access management (PAM): Similar to role-based access control, users are assigned certain degrees of privilege based on their organizational roles and duties. While it is a particular subset of IAM, it has flaws in addressing insider threats in progress.
- Continuous monitoring: This discipline centers on monitoring user activity in real-time to detect anomalous behavior. For example, a user attempting to access a system at an unusual time or location may indicate a security threat.
- Threat response planning: This proactive measure involves having a plan in place to respond to security threats quickly and effectively. This can help minimize the impact of a security breach and reduce the risk of further damage.
In addition to the measures above, IAM principles can also be leveraged to enhance ITDR by providing audit trails and user activity logs. These logs can be used to detect anomalous behavior that may be indicative of a security threat. For example, if a user attempts to access a resource they are not authorized to access, IAM can log this activity and alert ITDR personnel to investigate further.
Why Is ITDR Important?
With the increasing frequency and sophistication of cyber-attacks, ITDR is becoming more critical than ever before. Today’s cybercriminals are increasingly adept at using identity-based tactics to breach accounts and gain unauthorized access to sensitive information. In turn, companies are challenged by a myriad of threat techniques and additional external factors in the digital landscape.
- Open-Source Attacks: Cyber-attackers frequently leverage open-source attack tools to compromise identities, hide their nefarious activities, and more quickly move through the stages of their attack before completing their final action.
- Phishing Scams: As another example, cyber-attackers may use phishing emails to coerce users into revealing their login credentials or sharing protected access.
- Credential stuffing: A type of cyber-attack where attackers attempt to gain unauthorized access to protected accounts using stolen or leaked usernames and passwords, commonly from a data breach.
- Social Engineering Tactics: Cybercriminals can also use social engineering tactics to impersonate authorized users into tricking victims into sharing information.
- Remote Work: The rise of remote work has further increased the risk of identity-based attacks. With more employees working from home and using personal devices to access company systems, organizations can struggle to maintain visibility and control over user access.
- Regulatory Compliance: ITDR is also becoming more important due to the increasing regulatory requirements around data privacy and security. Many industries, such as healthcare and finance, are subject to strict regulations around data protection, and organizations that fail to comply can face significant fines and reputational damage.
To address these challenges, organizations are turning to ITDR solutions to protect their systems and prepare for specific vulnerabilities that may arise.
ITDR Facts and Trends
With the release of the Gartner report “Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response,” security and risk management professionals now have access to new research, insights, and recommendations for addressing identity security issues. These facts and trends highlight the growing interest and demand in ITDR.
Identity Is the Top Vector for Cyberattacks
Catalyzed by COVID-19, attackers capitalized on the identity-based shift in remote work. According to Gartner, “Organizations’ reliance on their identity infrastructure to enable collaboration, remote work, and customer access to services has transformed identity systems into prime targets.” Security teams have grappled with the operational realities of a workforce that could not come to work in the office.
Identity Is the New Vulnerability
With the adoption of cloud computing and the need to support work from home, identity-focused solutions have become a foundation of cybersecurity. Gartner states that “Identity threats are multifaceted. Misconfigurations of, and vulnerabilities in, identity infrastructure can be exploited.” Further, data from Identity Theft Resource Center shows ransomware-related attacks doubled in 2020 and doubled again in 2021, a common identity-based threat.
Attackers Exploit Gaps Between Identity and Security Systems
The deployment of identity systems, such as IAM, PAM, and MFA, are often multi-phased projects, leaving identities exposed until those deployments are fully completed. These deployments are further challenged by the constant changes of identities, which need to be re-discovered over time to make these deployments successful. Furthermore, the process of discovering and auditing accounts is often a time-consuming, manual, and error-prone process.
ITDR Is a Top Cybersecurity Priority
According to Gartner, “Modern identity threats can subvert traditional identity and access management (IAM) preventive controls, such as multifactor authentication (MFA). This makes identity threat detection and response (ITDR) a top cybersecurity priority for 2022 and beyond.” With attackers now focused on exploiting vulnerable identities, organizations must now work to make securing identities a top priority.
Types of Identity Vulnerabilities
Despite using measures like PAM, MFA, and other IAM solutions to protect identities from being exploited, vulnerabilities often remain present. The causes of identity vulnerabilities fall into three (3) categories: unmanaged, misconfigured, and exposed identities.
- Service Accounts – Machine identities go unmanaged by PAM because they were undiscovered during implementation, and not all applications are compatible with PAM, such as legacy applications for which the cost of modernization is cost-prohibitive.
- Local Admins – Local admin privileges facilitate a variety of IT support requests but often go undiscovered or forgotten after their creation, leaving them unmanaged.
- Privileged Accounts – Many other privileged accounts go unmanaged by PAM or MFA solutions because they remain undiscovered during deployment.
- Shadow Admins – The complexity of nested identity groupings make it extremely difficult to see the complete rights and entitlements of all identities, causing accounts to be granted unintended excessive privileges.
- Weak Encryption and Passwords – Identities configured to leverage weak or missing encryption or do not enforce strong password policies.
- Service Accounts – Machine identities with privileged access rights may be misconfigured to incorrectly allow for interactive login by humans.
- Cached Credentials – Account and credential information commonly stored on endpoints memory, registry, and disk, where they are easily exploited by commonly used attacker tools.
- Cloud Access Tokens – Cloud access tokens stored on endpoints are a common way attackers access cloud assets.
- Open RDP Session – Remote application sessions may be improperly closed, enabling attackers to leverage an open session and its privileges, largely without the risk of detection.
It’s important to note that any identity can be vulnerable in numerous ways and across these three vulnerability categories. These identities often expose organizations to the greatest level of identity risk.
For instance, a single identity can be misconfigured to hold unintended Shadow Admin rights, which, by its nature, causes this identity to go unmanaged due to the lack of IT knowledge that typically triggers extra access management protection intended for accounts with the rights it holds (PAM, MFA, etc.). This same identity can be further used in ways to expose its credential.
What to Look for in an ITDR Solution
Comprehensive ITDR solutions should include preventative capabilities that discover and remediate gaps in an organization’s identity posture, as well as detective capabilities that accurately alert on indicators of compromise as they occur.
ITDR Preventative Controls
ITDR preventative controls discover and remediate identity vulnerabilities before threat actors attempt to exploit them.
Much like traditional vulnerability and risk management programs, the discovery capabilities of ITDR enable organizations to inventory the risks of their identity “assets.” The most effective ITDR solutions deliver automated, continuous, and comprehensive identity discovery, including visibility into unmanaged, misconfigured, and exposed privileged accounts.
This visibility enables effective IT and Infosec decision-making to mitigate these risks in the large, multi-phased deployments of disparate identity management systems, such as IGA, PAM, MFA, SSO, and others. In fact, we’ve known that continuous scanning for issues is required to effectively manage any complex system, and identity management is no exception.
ITDR Detective Controls
ITDR detective controls alert at the moment there is an indication of a threat actor or insider attempting to compromise or leverage an identity in a way that creates risk for the organization. Detective controls are needed to mitigate risks that cannot be prevented so that the correct team members can be alerted and quickly respond if necessary in the event of an attack.
The accurate detection of identity threats before attack completion is difficult to achieve for several reasons:
- Less time to detect attacks: Attacker dwell times in many attack types, such as ransomware, have dropped from months to days in many cases. By focusing on compromising identities for system intrusions, attackers can move much more quickly through their attack.
- Reduced effectiveness of existing security controls: As attackers continue to exploit identities as their primary targets, they’ve all but abandoned many previous techniques, rendering security tooling for these techniques less effective. Attackers have also regularly demonstrated that once they escalate their privileges, they can disable security controls, including endpoint agents responsible for detecting them.
- Inability to accurately detect nefariousness from acceptable privileged account activity: Signature and behavioral-based analysis of privileged users has proven ineffective in accurately detecting nefarious privilege updates and lateral movement. The lack of sufficient acceptable behaviors of privileged admin accounts (what data scientists call high data entropy) has led to difficulties in establishing effective baselines required to minimize false positives.
As such, more accurate detection of compromised privileged accounts is needed. Deception and its deterministic approach of planting deceptive content to lure attackers offer a viable and proven alternative to behavioral analytics for accurately detecting privilege escalation and lateral movement.
When properly implemented, this approach plants lures that only an attacker would interact with, based on the understanding of the attacker’s techniques and tooling, leaving no clues for the attacker to believe they are being trapped.
How Proofpoint Can Help
Helping meet the growing demands of effective identity threat detection response, Proofpoint provides complete ITDR solutions for organizations and teams. Leverage preventative controls to continuously discover and remediate identity vulnerabilities before their exploitation. Utilize detective controls that employ deceptive techniques to accurately detect privilege escalation, account takeover, and lateral movement activities by threat actors as they occur. Learn more about how Proofpoint can help improve your ITDR.
Subscribe to the Proofpoint Blog