Identity Threat Detection and Response (ITDR)

Identity threat detection and response (ITDR) is a cybersecurity approach that aims to protect digital identities. It combines several tools, practices, and security frameworks to help organizations detect, investigate, and remediate identity-based threats.

ITDR can be considered the security arm of identity and access management (IAM) and privileged access management (PAM). While IAM and PAM are used to control what identities can do and the resources they can access, ITDR helps reveal suspicious activity and prevent unmanaged, misconfigured, or exposed identities from being abused by attackers.

Why is ITDR important?

Modern networks are complicated. People work remotely around the world, often using their own devices, and they engage with various systems, applications, and endpoints across on-premises and cloud environments. As a result, digital identities (human and machine) are both more abundant and more powerful – one set of credentials is often enough to access multiple applications. 

Identities are the keys to the kingdom. By compromising the right identity with the right privileges, attackers can infiltrate an entire network and impersonate users, move laterally across systems, and steal sensitive resources. Identity-based attacks, which grow ever more sophisticated, often come from inside a network and can bypass typical security infrastructure as a result. ITDR helps organizations uncover these blind spots, reduce the attack surface of their networks, and effectively respond to threats when they arise.

Types of identity threats 

ITDR helps organizations detect and respond to identity-related vulnerabilities such as:

Unmanaged or misconfigured identities

  • Excess privileges: Privileged users such as administrators may be left unmanaged by IAM or PAM solutions, leaving them more vulnerable to attack.
  • Service accounts: Machine identities are often overlooked when organizations implement PAM solutions, often because they’re incompatible with legacy systems or simply undiscovered. These accounts can be leveraged to cause serious damage to organizations. 
  • Privilege creep: Users can collect excess privileges over time, often when IT teams have forgotten to revoke their access to certain applications or environments. If left undetected, these bloated accounts can be abused by attackers to access sensitive company resources or accidentally cause damage to the system. 

Exposed identities

Using techniques such as spoofing, phishing, and brute force, the following types of identities can be exploited by attackers to escalate their privileges and access sensitive data and resources:

  • Stolen accounts
  • Weak or leaked passwords 
  • Services and resources 
    • Cloud access tokens
    • Open sessions
    • Cached credentials

How does ITDR work? 

By integrating with IAM providers, security platforms, critical applications and cloud infrastructures, ITDR helps organizations see how identities are behaving, what resources they’re accessing, and whether they’re under threat – or becoming a threat themselves. ITDR can provide:

Visibility: Modern identities are vast and complex, and can leave organizations with security blind spots. ITDR aims to shine a light on these, providing end-to-end visibility and control over all the identities on a network.

Behavioral analysis: ITDR uses machine learning, cyber threat intelligence and user entitlement behavioral analytics (UEBA) to create standard behavioral patterns for each user. If these users do something unusual or suspicious, ITDR can alert security teams about a potential threat and automatically deploy countermeasures. 

Incident response planning: With ITDR, organizations can create better incident response strategies and playbooks for tackling identity threats and minimizing operational downtime.

Monitoring: ITDR helps organizations continuously monitor user activity for suspicious activity, security blindspots, and misconfigured accounts across activity logs, cloud services, networks, and endpoints.

Authentication: ITDR solutions can involve security measures such as multi-factor authentication (MFA) and one-time passwords to reduce the risk of unauthorized access to identities.

Zero trust: ITDR assumes a network is always under threat of attack and so treats every identity as potentially malicious, fully authenticating and authorizing every request made by identities (users, devices, and applications) from inside or outside the company firewall. 

What do ITDR solutions offer?

ITDR solutions like Rezonate help organizations visualize and control their entire identity security strategy from one central hub, offering tools and processes designed to detect, prioritize, and respond to identity threats in real time. 

Rezonate continuously monitors both human and machine identities for suspicious anomalous behavior – across cloud, SaaS and identity provider platforms – and provides organizations with AI and machine learning tools to help them plan effective response and remediation strategies against everything from misconfigured accounts to nation-state-grade threats.

Maximize Okta Security Posture: Get the Okta Security Booster Kit.  Learn more