How to Detect and Remediate Identity Threats; Solution 1: Detect

Hannah Young
Hannah Young
.
June 6, 2023
5 min
 read

This is “Solution 1: Detect” of a two-part series on “How to Detect and Remediate Identity Threats.” In this series, we provide solutions to the problems put forth in our parallel series “Defending Against Threats in Identity Security,” (both Part 1: Detect and Part 2: Remediate).

As we discuss in “Defending Against Threats in Identity Security; Part 1: Detect,” current solutions already do not do enough to combat advanced security attacks (as we’ve seen in breaches like EA’s and Circle CI’s). The failure of traditional MFA, "major detection gaps between IAM and infrastructure security controls and poorly ingested identity signals have all been highlighted by these kinds of evolving attacks.

image titled “How ITDR Works With Infrastructure Security to Detect and Respond to Identity Threats”. On the left is a box with a skull icon titled “Identity Threats” and examples such as “Password spray,” “SAML golden ticket,” and “Unusual user activity,” this box has an arrow pointing to the right to a box titled “Identity Infrastructure.” The “Identity Infrastructure” box has examples like “AM,” “IGA,” “PAM,” and “MFA” and has an arrow pointing to the right to a box titled “ITDR.” The “ITDR” box has an infinity sign/loop encompassing “Detection” (symbolized with an eye) and “Response” (symbolized with a person talking at a podium) and is pointing to a box above it titled “Infrastructure Security and Operations.” The “Infrastructure Security and Operations” box has a fire icon and examples like “NDR,” “EDR,” “XDR,” “SIEM,” and “SOAR,” and is pointed back to the “ITDR” box below it. Below the “ITDR” box is a box titled “IT Infrastructure” that has a building icon named “On-Premises,” a cylindrical icon with 2D shapes inside named “Apps,” a cell phone icon named “Devices,” and a cloud icon named “Cloud.”

However, industry researchers are working overtime to discover and create new strategies, like the 2022 Gartner Report’s creation/coining of the ITDR (Identity Threat Detection and Response) discipline. According to the report, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”

In this two-part series, we break down how to both detect and remediate changing identity security threats. This is Solution 1: Detect.

What do approaches to detection currently look like?

Existing information security detection methods suffer from fragmentation and limited effectiveness. For example, signature-based detection relies on known patterns, rendering it insufficient against unknown threats, while anomaly detection tends to generate false positives and negatives. The fragmented nature of these approaches is most evident in the context of traditional detection and response (D&R) “hunts.”

Three-panel comic titled “Little Bobby.” The first panel shows a young kid standing on a stage in front of a crowd saying “—And THAT’S why you need threat hunting.” while a person from the audience raises a hand and says “OUR product now does threat hunting!” The second panel shows the kid saying “—and be sure to use threat behavior analytics for detection.” and the same person from the audience, with a frantic expression, says (in an exclamatory speech bubble) “our anomaly detection is now THREAT BEHAVIORAL ANOMALY DETECTION!!” The last panel shows the kid, with an exasperated expression, saying “Investigations are also key—” before he is cut off by the same person from the audience with another exclamatory speech bubble that says “And now we have investigations powered by blockchain!!!” with the kid responding “Dude, stop.”
Image from the Little Bobby Comic

Traditional D&R “hunts” have typically focused on signals like network traffic and on-device agents, overlooking the importance of identity signals (e.g., app access patterns, session events, permissions changes, etc.). There is a lack of integration between D&R hunts and day-to-day operations, resulting in a decoupling of threat detection and threat prevention that makes it challenging to proactively mitigate threats. Moreover, traditional D&R hunts often fail to establish a baseline of user behavior, despite the fact that deviations from these baselines can provide valuable identity-related signals for detecting potential threats.

The heart of the problem is that current detection methods need to better ingest identity signals. Identity-based detection is crucial because it provides a deeper understanding of user behavior and access patterns, allowing for more accurate threat detection and response. However, many may feel that they already have some sort of identity solution (e.g. MFA, IGA, CSPM, etc.), and don’t need to expand into a specific D&R solution.

“I pay for all of these tools already, why do I need another one?”

Graph from the Gartner Report titled "ITDR Works as Second and Third Layers of Defense After Prevention” showing “Identity Threats” (symbolized by a skull) going through Prevention (MFA, IGA, etc.) and into “ITDR Responsibilities” split into “Detection” (symbolized with an eye) and “Response” (symbolized with a person speaking at a podium)

As you can see from the Gartner illustration above, traditional prevention methods have gaps that attackers can get between. While host-based detection and Identity and Access Management (IAM) tools focus on system-level security and access controls, identity-based detection focuses specifically on the activities and behaviors of individual users, enabling organizations to detect irregularities, insider threats, and unauthorized access more effectively.

By considering the context of user identities, such as their roles, permissions, and historical behavior, identity-based detection provides a more comprehensive approach to security that complements host-based and IAM tools. There are real threats that these tools aren’t able to detect like stolen session cookies, one of the fastest-growing new strategies used by assailants. For instance, MFA can be useful, but if attackers can now steal the session cookie after it’s been authenticated by MFA, there’s nothing MFA can do to stop or detect this. Similarly, dormant accounts are a huge posture issue that has real security implications and can slip through the cracks left by traditional fragmented prevention methods.

So, how can we patch these gaps between identity systems?

There are a couple of things you can do on your own, like ingesting identity signals in your SIEM (however, don’t retain too much data! Storing stuff in your SIEM is pricey). However, in solving this problem, Gartner offers three acronyms to keep in mind: “TTPs (Tactics, Techniques, and Procedures), UBAs (User Behavior Analytics), and IOCs (Indicators of Compromise).”

For example, you can use threat detection software to turn continuous monitoring for TTPs into novel signals useful for making real-time access decisions. Similarly, AI’s UBA capabilities can detect behavioral abnormalities such as permission anomalies, account takeovers, and persistence tactics that wouldn’t be caught with traditional prevention/posture tools. These sorts of new identity-first signals can enable organizations to track threats/IOCs over time and learn from experience. Gartner argues you can more effectively catch and analyze threats that slip through the cracks traditional preventative identity measures leave by implementing these detection methods, finding new signals, and making them actionable.

Crosswire logo and “Crosswire®” written in white on a light blue, dark blue, pink, and orange gradient background
Contact Crosswire here to get a free detection report and see what threats might be lurking in your organization!

Still, no detection solution is perfect, and as attackers continue to evolve, they might evade even the strongest detection methods. This is where the response component comes in; stay tuned for next week’s article on what happens after you’ve been compromised: How to Detect and Remediate Identity Threats; Solution 2: Remediation.

To get notified when we post more about these solutions (and to stay up to date with Crosswire on all things identity and infosec), sign up to receive our updates below!

More from our blog

Identity Governance Best Practices for Security Leaders

Explore essential identity governance best practices for security leaders, ensuring robust security frameworks and compliance adherence. Learn more today.

Johnny Wang
.
4 min
 read
UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
Breaking Down the October 2023 Okta Breach

A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.

Hannah Young
.
7 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
CISOs on Identity Security Maturity in the Enterprise

CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.

Hannah Young
.
5 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
The Secret Third Step to Threat Detection and Response: Protection

How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

Hannah Young
.
6 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read