What is Identity Threat Detection and Response (ITDR)?
Identity Threat Detection and Response (ITDR) explained
ITDR is an approach to protecting the integrity of your identity systems in an era when identity has become a basic business need and the new network perimeter. The controls, threat intelligence and processes in Identity Threat Detection and Response enable you to detect and respond to identity threats that elude the protection provided by your identity and access management (IAM) tools.
Why is ITDR important? What security challenges does it address?
Your identity systems are designed for prevention and built around tools like IAM, privileged access management (PAM) and identity governance and administration (IGA) to stop illicit network access. They strengthen account hygiene and keep you ahead of attackers by exposing and mitigating misconfigurations. They identify and apply additional prevention to protect your business-critical assets.
Identity systems are part of your competitive advantage, making collaboration possible among your employees, customers and business partners. No wonder those systems have become ripe targets for cybercriminals attempting to steal credentials (usernames and passwords), thwart multifactor authentication (MFA) and undermine prevention outright.
Identity Threat Detection and Response reinforces your up-front prevention with detection – continuous monitoring of factors like indicators of compromise (IOC) and user behavior analytics (UBA). When a threat is identified, ITDR processes and tools apply a response aimed at neutralizing it, mitigating the risk of breach and providing for recovery back to a known good state.
How do organizations solve the problem of identity-related risk today?
Most organizations rely on IAM tools to control and authenticate who has secure access to their data. The vast majority of enterprises rely on Active Directory as a mainstay of their IAM effort, both on premises and in the cloud. They understand IAM and its preventive value, but the security perimeter (and the target of threat actors) is shifting to identity, and a re-focusing is in order.
The landscape of identity threats is evolving to include generative AI in phishing techniques, dark-web marketplaces for stolen credentials and an attack surface encompassing IoT devices. IAM tools are overwhelmed as identity threats grow more sophisticated. You can think of your infrastructure security controls as your backstop, but they are not designed to protect identity systems.
In short, your prevention tools may be good, but they are only the first line of defense for your identity systems. Robust security comes from reinforcing them with Identity Threat Detection and Response.
According to Gartner, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure” (Teixeira, Firstbrook, Allan and Archambault, 2022, p. 3).
In the framework of the Center for Internet Security’s Critical Security Controls (CIS Controls), Identity Threat Detection and Response deals with account monitoring and control (Control 16) and maintenance, monitoring and analysis of audit logs (Control 6). In the NIST Cybersecurity Framework published by the U.S. National Institute of Standards and Technology, ITDR supports three aspects: detect, respond and recover.
What is NDR?
Network Detection and Response (NDR) focuses on finding and stopping abnormal behavior in network traffic, which has long been the main focus of enterprise security. NDR includes firewalls and deep packet inspection to keep attackers out by continuously analyzing raw network packets or traffic metadata in search of anomalous behavior. It is designed to detect the results of a data breach, such as ransomware, insider threats and lateral movement within the network.
NDR relates to malware defenses (CIS Control 8) and implementing a security awareness and training program (Control 17). In the NIST Framework, NDR supports three aspects: protect, detect and respond.
What is EDR?
Endpoint Detection and Response (EDR) corresponds to the growth in computing on endpoints (workstations, laptops, tablets, mobile devices), especially outside of the network perimeter. As attacks on endpoints have increased, EDR has emerged as an approach for defending against security threats by monitoring and analyzing the activity of the organization’s endpoints. It detects when threats have been identified; provides investigation, response and alerts; and retains endpoint data for historical analysis and threat hunting.
EDR supports the limitation and control of network ports, protocols and services (CIS Control 9) and boundary defense (Control 12). In the NIST Framework, EDR covers two aspects: detect and respond.
What is XDR?
Extended detection and response (XDR) is focused on security incident detection and automated response across the infrastructure. XDR tools integrate cyber threat intelligence and telemetry data from multiple sources. They turn the data into security analytics that help security operations center (SOC) and incident response teams see security alerts in context and connect the dots among them. The tools are also capable of automating responses to threats according to playbooks.
XDR covers controlled use of administrative privileges (CIS Control 4), malware defenses (Control 8) and application software security (Control 18). In the NIST Framework, XDR deals with two aspects: detect and respond.
What is Active Directory Threat Detection and Response (AD TDR)?
AD is the centerpiece of the identity system in many enterprises. As such, it is continually used as an attack vector both in the data center and to move to the cloud or Microsoft 365 for greater access.
AD TDR is focused on defending against threats to AD, for example by using a platform-specific tool to detect and send alerts on the misuse of the AD Group Policy infrastructure. Attackers try to exploit Group Policy because of its systems management capability inside the AD identity platform. AD TDR detects changes to Group Policy Objects and any affected identities, then responds according to an identity threat playbook or by notifying security teams. It protects the secure operation of AD as an integral part of the enterprise identity infrastructure.
As Gartner notes, “AD TDR tools fulfill this mission by applying threat intelligence, behavioral signatures, heuristics, statistical analysis, analyses of known tactics, techniques and procedures (TTPs) and machine learning algorithms to discover indicators of exposure and indicators of compromise in Active Directory.”
What are best practices to identify, detect and respond to identity system attacks?
As organizations make it easier for employees, customers and business partners to access their data from anywhere with any device, identity becomes the new perimeter – the key to that access. As a result, attacks on users’ identities and on the identity systems themselves have increased in frequency and force.
Enterprises that subscribe to Identity Threat Detection and Response effectively give identity its own security discipline based on prevention, detection and response:
- Prevention – Taking stock of the IAM controls they already have in place, these organizations apply configuration hygiene and controls to lock down critical assets. They strengthen their identity security by rooting out misconfigurations and changes to IAM settings, patching vulnerabilities as they are discovered and minimizing exposure by shrinking their attack surface.
- Detection – They strengthen their detection controls around identity, emphasizing identity tactics, techniques and procedures (TTPs) in particular.
- Response – They ensure that IAM enforcement is included in their response playbooks and in automating the processes of eliminating any identity threats as they are detected. They include IAM incidents in their ongoing efforts to hunt for threats.
What's the difference between Identity Access Management and Identity Threat Detection?
Identity Access Management (IAM) and Identity Threat Detection (ITDR) serve complementary but distinct purposes in cybersecurity. IAM focuses on prevention and access control — ensuring the right people and resources have appropriate access to systems they need. It manages user permissions, authentication, and access across various applications and systems.
While ITDR monitors for threats targeting identity systems, it also focuses on protection and prevention by maintaining robust identity infrastructure hygiene to prevent attacks before they occur. We refer to the protection and prevention aspects as “the silent P” in ITDR. Protection/prevention and detection operate in what we call a virtuous cycle, where each informs the other for constant improvement.
This preventive aspect includes continuously assessing and hardening identity systems, eliminating misconfigurations, and ensuring secure architecture. While IAM prevents unauthorized access through authentication and permissions, ITDR provides comprehensive protection of the identity infrastructure itself, actively monitors for threats that may bypass IAM controls, and responds to potential compromises. Think of IAM as the front-line defense controlling who gets in, while ITDR both strengthens the underlying identity foundation and actively monitors for threats that may have slipped through or are attempting to undermine those controls.
What are some common identity vulnerabilities?
Identity systems face an evolving landscape of sophisticated threats that can compromise organizational security. One of the most prevalent vulnerabilities is credential-based attacks, where cybercriminals attempt to steal or compromise usernames, passwords, and even multi-factor authentication systems. Another significant concern is the growing sophistication of phishing attacks, particularly those leveraging generative AI and dark web resources to target identity systems.
The expanding attack surface, especially with the proliferation of IoT devices and cloud services, creates additional vulnerabilities. Common weak points include:
- Misconfigured identity and access settings that create security gaps in critical systems like Active Directory, often stemming from poor identity infrastructure maintenance and hygiene
- Insufficient monitoring of user behavior patterns and access anomalies, combined with inadequate preventative measures to harden identity systems
- Weak identity governance and lifecycle management processes that leave organizations exposed to unauthorized access and fail to maintain clean identity infrastructure
What are the benefits of ITDR?
Identity Threat Detection and Response (ITDR) provides organizations with crucial capabilities to protect their identity infrastructure in today's evolving threat landscape. By implementing ITDR, organizations gain both preventative protection through improved identity infrastructure hygiene and continuous monitoring of identity systems, enabling them to detect and respond to potential compromises and suspicious activities quickly. This goes beyond traditional IAM prevention controls, offering a more comprehensive approach to identity security.
ITDR delivers value through several key advantages:
- Enhanced protection through both preventive measures that harden identity infrastructure and automated detection and response capabilities that can quickly identify and neutralize identity-based threats
- Seamless integration with existing security frameworks, including CIS Controls and NIST Cybersecurity Framework, while adding crucial preventive capabilities for identity system hygiene
- Comprehensive coverage of the modern identity attack surface, with special attention to critical infrastructure like Active Directory, including both monitoring and preventive hardening
- Ability to restore compromised systems to a known good state, ensuring business continuity and improved security posture