Identity threat detection and response

Identity Threat Detection and Response (ITDR) represents a crucial advancement in cybersecurity, focusing on protecting identities and credentials, which are often the primary targets in cyber attacks. By detecting and responding to threats against user identities, ITDR helps secure access to organizational resources, ensuring that only legitimate users have access.

What is Identity and what is the challenge in defending against identity attacks?

Identity is the center of the modern enterprise. There are both cloud and network identities as well as machine and human identities, ranging across SaaS applications, Public Clouds, Secure Web Gateways, AD services and local services. In the past year, 98% of companies saw an increase in identities¹. For every human identity, there are 45 machine or service identities². This presents a significant challenge for defenders as 62% don’t have visibility into humans or machines accessing sensitive data and assets².

Why does my organization need ITDR?

Identity has become the center of modern attacks, as different types of attackers such as ransomware gangs, nation-state attackers, and professional cybercriminals all abuse identity in their attacks. Therefore, 90% of organizations have experienced an identity attack in the past year¹.

In addition, successful identity attacks come at a huge cost for organizations. For example, Okta suffered a $2 billion loss in market capitalization and lost data on all customer support users; MGM suffered up to $8.4 million lost per day; Caesars Palace paid $15 million in ransom. In fact, 68% of companies suffered direct business impact from an identity breach¹.

Organizations that have prevention and identity posture management are still vulnerable to identity attacks, as attackers increasingly bypass MFA and prevention. According to Gartner, ITDR works as the second and third layers of defense after prevention fails.

Identity Threat Detection and Response (ITDR) is crucial for organizations to protect valuable assets and stop identity threats before they create damage and business impact.

Gartner's vision of ITDR

The Gartner Hype Cycle for Security Operations 2023 highlights that ITDR has a high benefit rating. It is stated that securing organizational identity infrastructure is mission-critical for security operations.

If organizational accounts are compromised, permissions are set incorrectly, or identity infrastructure itself is compromised, attackers can take control of the systems.

Therefore, protecting identity infrastructure and defending against identity attacks must be a top priority.

How does Identity Threat Detection and Response work?

Highly efficient ITDR solutions employ cutting-edge machine learning algorithms and AI models to analyze the behavior of identities (Network, cloud, human, machine and service identities)  within an organization’s network and cloud.

These solutions track user activities, permissions, and access patterns to identify deviations from established norms. By mapping these behaviors to known threat models, ITDR solutions can pinpoint potential threats with a high degree of accuracy.  

ITDR solutions provide real-time alerts and insights, enabling security teams to respond promptly to potential threats. They also integrate seamlessly with other cybersecurity tools and solutions, such as identity and access management (IAM) systems and security information and event management (SIEM) platforms, to provide a comprehensive approach to threat detection and response.

What are the benefits of Identity Threat Detection and Response?  

1. Continuous Monitoring of Identities across the hybrid attack surface  
   ITDR solutions offer continuous visibility into all identities, including network, cloud, human and machine accounts, access permissions, and related activities, across an organization's network and cloud environment. This visibility extends from the data center to the cloud, covering various user types, locations, and device types, including IoT devices and printers.    
2. Protects service and admin accounts
   Leading ITDR solutions actively use AI to discover and monitor service and admin accounts, providing protections on these accounts even when they are not clearly defined or labelled.      
3. Behavioral Analytics and AI for Advanced Threat Detection    
   Leading ITDR solutions leverage behavioral analytics and machine learning to model and detect unusual activities and threats associated with identities. Rather than relying on signature-based detection, these solutions focus on identifying active attacks, including persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, data collection, command and control (C2) activities, and data exfiltration.    
4. AI Enhance Security Operations Center (SOC) Efficiency
   By Cutting Down Noise AI-driven ITDR solutions understands privilege and delivers signal clarity that simple UEBA anomalies cannot. They automate many aspects of threat detection and response, significantly improving the efficiency of security operations centers (SOCs) by cutting down noise. Despite the ongoing shortage of cybersecurity experts, these solutions provide detailed attack reconstructions in natural language, empowering analysts with the information needed to respond to alerts quickly and comprehensively.    
5. Real-time Automated Response  
   In addition to detecting sophisticated attacks and suspicious behaviors, ITDR solutions offer the capability to respond automatically and shut down attacks in real-time. They also integrate seamlessly with other cybersecurity products, such as Endpoint Detection and Response (EDR), for enhanced security measures.  

What is the value of an effective Identity Threat Detection and Response Solution

An effective ITDR solution correlates with your network and cloud detection and operates within the scope of your other tools, not in a silo. The solution should allow your organisation to:  

• Stop ransomware early
• Stop phishing-driven compromises
• Secure service account sprawl  
• Defend privileged identities  
• Defend identity infrastructure  
• Stop identity-based lateral movement  
• Secure ZScaler connections  
• Monitor for insider threats  
• Monitor identity usage proactively

The Evolution of Identity Threat Detection and Response  

According to Gartner, ITDR requires coordination between IAM and security teams. Organizations are suggested to combine foundational IAM infrastructure hygiene such as PAM and IGA with ITDR and integrate it into the IAM program. It is important to prioritize securing identity infrastructure with tools to monitor identity attack techniques, protect identity and access controls, detect when attacks are occurring, and enable fast remediation. The MITRE ATT&CK framework should also be used to correlate ITDR techniques with attack scenarios to ensure that at least well-known attack vectors are addressed.

Identities are increasingly targeted by adversaries and implementing ITDR is not just an option but a necessity. Vectra AI is at the forefront of providing advanced ITDR solutions that empower security teams to proactively detect and respond to identity threats. Contact us to learn how we can help secure your organization's most critical assets — its identities.

Learn more about Vectra AI ITDR >