How to Detect and Remediate Identity Threats; Solution 1: Detect

This is “Solution 1: Detect” of a two-part series on “How to Detect and Remediate Identity Threats.” In this series, we provide solutions to the problems put forth in our parallel series “Defending Against Threats in Identity Security,” (both Part 1: Detect and Part 2: Remediate).

As we discuss in “Defending Against Threats in Identity Security; Part 1: Detect,” current solutions already do not do enough to combat advanced security attacks (as we’ve seen in breaches like EA’s and Circle CI’s). The failure of traditional MFA, "major detection gaps between IAM and infrastructure security controls” and poorly ingested identity signals have all been highlighted by these kinds of evolving attacks.

However, industry researchers are working overtime to discover and create new strategies, like the 2022 Gartner Report’s creation/coining of the ITDR (Identity Threat Detection and Response) discipline. According to the report, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”

In this two-part series, we break down how to both detect and remediate changing identity security threats. This is Solution 1: Detect.

What do approaches to detection currently look like?

Existing information security detection methods suffer from fragmentation and limited effectiveness. For example, signature-based detection relies on known patterns, rendering it insufficient against unknown threats, while anomaly detection tends to generate false positives and negatives. The fragmented nature of these approaches is most evident in the context of traditional detection and response (D&R) “hunts.”

Traditional D&R “hunts” have typically focused on signals like network traffic and on-device agents, overlooking the importance of identity signals (e.g., app access patterns, session events, permissions changes, etc.). There is a lack of integration between D&R hunts and day-to-day operations, resulting in a decoupling of threat detection and threat prevention that makes it challenging to proactively mitigate threats. Moreover, traditional D&R hunts often fail to establish a baseline of user behavior, despite the fact that deviations from these baselines can provide valuable identity-related signals for detecting potential threats.

The heart of the problem is that current detection methods need to better ingest identity signals. Identity-based detection is crucial because it provides a deeper understanding of user behavior and access patterns, allowing for more accurate threat detection and response. However, many may feel that they already have some sort of identity solution (e.g. MFA, IGA, CSPM, etc.), and don’t need to expand into a specific D&R solution.

“I pay for all of these tools already, why do I need another one?”

As you can see from the Gartner illustration above, traditional prevention methods have gaps that attackers can get between. While host-based detection and Identity and Access Management (IAM) tools focus on system-level security and access controls, identity-based detection focuses specifically on the activities and behaviors of individual users, enabling organizations to detect irregularities, insider threats, and unauthorized access more effectively.

By considering the context of user identities, such as their roles, permissions, and historical behavior, identity-based detection provides a more comprehensive approach to security that complements host-based and IAM tools. There are real threats that these tools aren’t able to detect like stolen session cookies, one of the fastest-growing new strategies used by assailants. For instance, MFA can be useful, but if attackers can now steal the session cookie after it’s been authenticated by MFA, there’s nothing MFA can do to stop or detect this. Similarly, dormant accounts are a huge posture issue that has real security implications and can slip through the cracks left by traditional fragmented prevention methods.

So, how can we patch these gaps between identity systems?

There are a couple of things you can do on your own, like ingesting identity signals in your SIEM (however, don’t retain too much data! Storing stuff in your SIEM is pricey). However, in solving this problem, Gartner offers three acronyms to keep in mind: “TTPs (Tactics, Techniques, and Procedures), UBAs (User Behavior Analytics), and IOCs (Indicators of Compromise).”

For example, you can use threat detection software to turn continuous monitoring for TTPs into novel signals useful for making real-time access decisions. Similarly, AI’s UBA capabilities can detect behavioral abnormalities such as permission anomalies, account takeovers, and persistence tactics that wouldn’t be caught with traditional prevention/posture tools. These sorts of new identity-first signals can enable organizations to track threats/IOCs over time and learn from experience. Gartner argues you can more effectively catch and analyze threats that slip through the cracks traditional preventative identity measures leave by implementing these detection methods, finding new signals, and making them actionable.

Still, no detection solution is perfect, and as attackers continue to evolve, they might evade even the strongest detection methods. This is where the response component comes in; stay tuned for next week’s article on what happens after you’ve been compromised: How to Detect and Remediate Identity Threats; Solution 2: Remediation.

To get notified when we post more about these solutions (and to stay up to date with Crosswire on all things identity and infosec), sign up to receive our updates below!