As digital infrastructure increases, so does the number of identities within an organization’s digital and IT ecosystem. Though Identity Access Management (IAM) and Identity Governance and Administration (IGA) tools help organizations manage identities across their digital infrastructure, what happens when IAM infrastructure systems contain misconfigurations or become compromised? And how can IT and security teams react and respond in real-time?
In this part of our ‘Solving the Identity Management Challenge’ series, we’ll explore Identity Threat and Detection Response (ITDR) and how ITDR capabilities help organizations identify and respond to identity threats.
What is Identity Threat Detection and Response?
According to Gartner, ITDR is, “A security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”
While ITDR was only introduced a couple of years ago — recognized in Gartner’s 2022 Hype Cycle — it has quickly grown in demand as attackers target identities and IAM solutions to gain unauthorized access to an organization’s sensitive data. ITDR detects and tracks abnormalities in user behavior or malicious activity such as instances of identity takeover, identity theft, over-permissioned activity, or even insider threats. Acting as a counterpart and enhancement to identity management and threat measures like IAM, Privileged Access Management (PAM), Role Based Access Control (RBAC), and more, ITDR helps organizations deepen identity management and intelligence methods to detect and respond to security incidents.
The Challenges of Detecting Identity-Based Threats
Cybercriminals are advancing their techniques and increasing identity-based targets. Why? Among factors like the general workforce acting as a relatively easy target for cybercriminals, the widespread adoption of cloud applications and collaboration tools have also led to a proliferation of identity creation by less-security-aware users. According to the Identity Defined Security Alliance, 90% of companies reported at least one identity-based cybersecurity incident over the last 12 months.
But, detecting identity-based threats is no simple matter. Organizations are challenged with several different and emerging factors that have made identity management and response difficult:
- Attack surface complexity is increasing: Organizations have exponentially increased their digital transformation efforts over the last few years, with organizations now using 371 SaaS apps on average and oftentimes, multi-cloud strategies. And while new tools and work environments have helped increase productivity in the workforce, they’ve created difficulties for identity visibility and management and have opened opportunities for cybersecurity gaps. This includes diverse logging mechanisms that demand a unique set of capabilities to effectively retrieve, normalize, and comprehend data.
- Cyber threats are evolving: As cybersecurity evolves, so do cyber threats and tactics, with user identities and credentials now a prime target. For example, due to factors like the widespread adoption of cloud services and the subsequent embrace of Zero Trust best practices services, in some instances, identities have become the primary avenue for attackers to navigate within an organization. This, along with the ongoing evolution of identity-based technologies, contributes to a longer detection time and allows cyber criminals more time to move throughout an organization’s system.
- Legacy technology is still in use: While some organizations still use tools like Active Directory or Lightweight Directory Access Protocol (LDAP), legacy systems are difficult to monitor — especially from remote locations and across distributed environments, and can expose an organization’s attack surface.
- More information is needed to investigate: Suspicious identity-based threats often call for context that traditional identity management solutions may not provide, like investigating whether the suspicious event is genuine or not. Finding information about the flagged identity such as its usage across various applications, human resource information, or whether the user was on-site, remote, or on vacation, requires additional data that may not be available.
Enhancing Identity Management with Identity Threat Detection and Response
ITDR provides a security-led layer to the detection of identities, their behaviors, and threats compared to traditional forms of identity management, and is a practice that works best as a complement to more comprehensive identity management solutions. When used alone, however, ITDR falls short when addressing potential security incidents, such as instances where ITDR can’t authenticate user connections or more data is needed to investigate a suspicious identity-based threat.
And while ITDR emerged from moving away from perimeter-based security, it’s increasingly clear that ITDR isn’t a standalone market. Currently, it adds value when merged with a more powerful and comprehensive offering, a trend evidenced by Okta's acquisition of Spera and Delinea’s acquisition of Authomize.
To address both identity management and identity threat detection and response challenges, the market is continuously seeking a new approach. One that ensures quick time to value, provides a centralized identity repository with a holistic view of every identity and corresponding entitlements authorized within an organization, and leverages the best of what the promise of ITDR is.
In the next installment of our ‘Solving the Identity Management Challenge’ series, we’ll explore the latest identity management trends and ideas discussed at Gartner’s Identity and Access Management Summit.