Netanel Azoulay
18.05.2023
ITDR
Mind The Gap
In the rapidly evolving distributed digital landscape, organizations face increasing challenges in safeguarding their valuable assets against identity-centric cyber threats. The frequency and sophistication of data breaches that exploit credible identities have rendered traditional prevention, detection, and response measures insufficient. This is where Identity Threat Detection and Response (ITDR) comes into play.
ITDR, or Identity Threat Detection and Response, is a vital security practice designed to detect, mitigate, and respond to various identity-related risks. These risks include compromised user accounts, unauthorized access, data breaches, misuse of credentials, and fraudulent activities. Safeguarding against these threats is crucial for organizations to protect their sensitive information and maintain a secure environment.
In this blog post, we will explore the significance of ITDR in safeguarding against breaches and how it can bridge the gap between the Security Operations Center (SOC) and Identity and Access Management (IAM) controls and teams.
Gartner Identifies Top Security and Risk Management Trends
Understanding the Need for ITDR
The cybersecurity landscape is evolving rapidly, with attackers becoming more sophisticated and identity-focused in their methods. Recent identity-centric cyberattacks on Okta, Uber, Cisco, and many more, have highlighted the vulnerability of identity infrastructure and the exploitation of identity systems. While prevention measures such as Multi-Factor Authentication (MFA) and different IAM systems are essential, they are empirically not foolproof. This underscores the need for a comprehensive contextual approach that includes detection and response.
The Rise of Identity-Centric Threats
Hackers don’t hack in, they log in.
Statistics indicate that approximately 80% of attacks involve the misuse of credentials, underscoring the critical role of identity systems in breaches. Attackers exploit weak identity and access management points to gain unauthorized access, execute lateral movement, escalate privileges, and exfiltrate or encrypt data. Organizations must recognize that either the reactive SOC approach or prevention alone is insufficient and shift toward identity-centric detection and response.
Additionally, threat actors are leveraging AI and other modern tools to enhance their identity-centric campaigns and exploit unsuspecting targets. Talos Intelligence provides valuable insights into how AI-powered techniques, such as natural language processing and generative models, enable attackers to craft sophisticated and personalized phishing emails. These techniques allow them to bypass traditional email filters and increase the chances of success in deceiving users. Current detection controls are vulnerable to AI-Powered threat actors to evade detection by blending in with normal user behavior patterns, manipulating the traditional security measures to identify malicious activity.
Bridging the Gap
SOC teams have traditionally focused on network, endpoint, and application security, while IAM professionals have emphasized identity and access prevention measures like Authentication (AuthN) and Authorization (AuthZ). However, as organizations move towards an identity-centric security strategy, these two disciplines must be compatible and work cohesively to address emerging challenges. Bridging this gap is crucial for modern security.
To counter the evolving threats, organizations must augment their security strategies with Identity Threat Detection and Response (ITDR) practices. By harnessing the power of AI and machine learning, ITDR solutions can analyze user behavior, detect anomalous patterns, and swiftly respond to identity-related threats. This proactive approach is crucial in staying one step ahead of threat actors who exploit weak identity and access management points. It allows organizations to bridge the gap between prevention and response, fortifying their defenses and safeguarding against the growing sophistication of identity-centric attacks.
Embracing ITDR as One of the Core Pillars of Identity-First Security
ITDR is a discipline that encompasses various tools, threat intelligence, processes, and best practices. While prevention tools like Identity Governance and Administration (IGA), Cloud Infrastructure Entitlement Management (CIEM), MFA, and Privileged Access Management (PAM) are instrumental, they can’t guarantee complete protection. Organizations must understand that prevention alone is insufficient and invest in robust ITDR strategies to effectively detect and respond to threats. ITDR requires a holistic approach that combines various elements to create a comprehensive defense.
Why ITDR? I already have XDR and EDR
In the realm of cybersecurity, organizations adopt a comprehensive defense strategy by combining ITDR, XDR, and EDR solutions. In fact, ITDR is the newest security practice aiming to compensate for the inadequacies of traditional XDR and EDR approaches.
ITDR, or Identity Threat Detection and Response, focuses on detecting and responding to identity-related risks like compromised accounts and unauthorized access. It complements XDR’s broader approach of integrating security data from multiple sources, including endpoints, networks, and the cloud. Meanwhile, EDR specializes in monitoring and analyzing endpoint devices for malicious activity.
By leveraging the strengths of ITDR, organizations can finally bridge the gap between IAM and SOC teams that operates the XDR and EDR systems. That will empower organizations to gain a multi-layered defense against cyber threats.
To conclude – ITDR addresses identity-centric risks, XDR provides a multi-layer view of the organization’s security posture, and EDR offers insights into threats originating from endpoints. Together, these solutions can enhance the organization’s ability to detect, respond, and mitigate sophisticated attacks across various fronts.
Building an Effective ITDR Framework
Establishing a comprehensive ITDR framework involves prioritizing detection mechanisms and response strategies. Detection can be based on Tactics, Techniques, and Procedures (TTP), User and Entity Behavior Analytics (UEBA), or both. While each approach has strengths and weaknesses, UEBA provides a proactive means of identifying suspicious behavior. Additionally, organizations must develop threat playbooks to guide their response to identity breaches, including immediate actions such as traffic isolation, step-up authentication, and quarantine of compromised accounts. Every effective ITDR framework should comply with the 3 C’s: Continuous, Consistent, and Contextual. These are the main pillars of such a program:
- Holistic & Contextual Visibility: An effective ITDR solution aggregates data from multiple sources, utilizing identity analytics, machine learning, behavioral analysis, and anomaly detection for threat analysis and quick identification.
- Automation: The ITDR system should automate responses, such as blocking access to compromised accounts, alerting security personnel, and initiating investigations to mitigate identity-based threats.
- Risk-based control: Prioritizing alerts based on the risk level is crucial to avoid alert fatigue and ensure a timely response. To streamline incident management, the ITDR solution should identify false positives and classify threats based on attack patterns.
Mitigating Challenges in MFA
While Multi-Factor Authentication (MFA) is a crucial defense against unauthorized access, attackers have devised techniques like prompt bombing to exploit MFA systems. Prompt bombing involves bombarding employees with One-Time Password (OTP) text messages, causing fatigue and increasing the likelihood of falling victim to an attack. Organizations should invest in MFA tools resistant to phishing attempts and incorporate compensatory controls to mitigate this risk. These controls may include device location verification, session invitations, and consecutive attempt detection.
ITDR as an Essential Component of Your Zero Trust Architecture
Organizations must adopt a Zero Trust mindset, assuming a breach rather than relying solely on prevention. By acknowledging that attackers may find their way in, organizations can focus on making their work more challenging. This approach requires effective collaboration between SOC and IAM teams, leveraging the expertise of both to identify and respond to threats promptly. The SOC team can provide in-depth analysis and pinpoint potential threats within the identity perimeter, while the IAM team can contribute their knowledge of identity systems to enhance threat detection. By strengthening collaboration, organizations can better protect their digital environments.
Conclusion
In today’s cybersecurity landscape, organizations must prioritize security detection and response aspects alongside prevention measures. Identity Threat Detection and Response (ITDR) is crucial in bridging the gap between the SOC and IAM teams, ensuring a comprehensive approach to safeguarding sensitive data and mitigating breaches. By embracing ITDR as a discipline and implementing robust detection mechanisms, organizations can proactively identify threats within the identity infrastructure and respond swiftly to contain and mitigate the impact of breaches.
Remember, prevention is essential, but detection and response are equally crucial in the battle against cyber threats. Mesh Security is the world’s first Zero Trust Posture Management (ZTPM) solution that helps organizations drive contextual and comprehensive prevention, detection, and response, including ITDR and ISPM (Identity Security Posture Management), strengthening compatibility between controls and collaboration across teams to create a safer digital landscape for modern enterprises. By combining prevention, detection, and response strategies, Mesh can empower your organization with an enhanced and agile Zero Trust posture that dynamically adapts to your business.
That’s highly relevant to our org. Pinged you directly
Very interesting
An intriguing perspective indeed. Additionally, I would like to emphasize that the present critical attack vector stems from inadequate monitoring of microservices and the negligence of accounting for personal login credentials. Consequently, any comprehensive security architecture must prioritize the implementation of vigilant monitoring for all microservices and the strict management of individual credentials.