ITDR stands for Identity Threat Detection and Response, a term coined in the 2022 Gartner Report. According to the report, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”

What does an Identity Threat Detection and Response tool do?

Detection and Response

As the name implies, ITDR tools detect identity threats. They detect suspicious activity primarily dynamically (real-time identity compromises in your environment), but they can also cover static issues (gaps in static configurations).

However, detection alone is not enough. Given that identity products tend to produce a sizeable amount of false positives, if an admin has to sift through each one individually, that’s a substantial amount of extra work. Similarly, when there’s an active threat in your environment, time to response becomes crucial to containing a breach and minimizing the attack radius. So, the automated response aspect of ITDR tools helps to ease those problems.

Identity

Every organization of significant size has identity problems since there always needs to be some system for identifying employees, machines, and services. As a result, identity practices tend to look substantially similar across most enterprises (a concept we expand on in “CISOs on Identity Security Maturity in the Enterprise”). So, for instance, I can go secure Salesforce’s identity stack and that process will look substantially similar to securing the identity stack at Notion, Asana, and so on. This, coupled with the fact that employee identity management is rarely a revenue center for a business, leads to a logical outsourcing of identity (especially ITDR) to SaaS products.

This helps companies reduce costs because instead of every org using their resources to recreate the same tool, baseline ITDR measures can be implemented and allow in-house teams to specialize. So, continuing the example, now Salesforce’s in-house detection team can specialize in detecting threats specific to Salesforce and Notion’s can focus on detecting threats specific to Notion while their ITDR SaaS covers their shared ground.

Why does identity need its own detection and response solution?

Part of what makes identity so difficult is that there isn’t a good source of truth for identity TTPs, specifically cloud-native IdP TTPs, meaning you need to do a ton of research to identify what’s out there, and then continue maintaining that work.

A common misconception is that identity governance is all that you need in terms of securing your identity, but just because you have access rules and onboarding/offboarding workflows doesn’t mean that you’re detecting threats.

In other words, even proper configuration of your IdP doesn’t save you from needing to look for identity threats. For example, just because you disabled SMS as a second factor for your employees doesn’t mean you’re safe: an attacker could phish one of your IdP admins, enable SMS as a factor, disable an employee’s authenticator factor, and enable SMS to bypass your MFA, so at minimum, you need protections in place that can alert you when these things happen.

Identity threat detection is also not just vanilla detection engineering. Detection engineers have to spend their time on all sorts of things, from network traffic analysis (like firewall logs) to host analysis (like MDM logs) to cloud analysis (like AWS logs). This makes identity tricky because there may not be a dedicated person looking for identity threats, which require dedicated research and analysis, and might require different log sources (like Okta logs) while your detection engineering team divides its attention across several domains.

What about D&R (Detection & Response) Hunts?

The traditional D&R “hunt” model is designed to look for a very specific pattern within a single timespan (for example, >10 GB data exfiltrated over 7 days). On the contrary, identity-related threats often emerge as some kind of abnormal user behavioral pattern that are revealed through continuous observation of a user behavioral baseline (for example, a user has never logged in on this day of the week for the last year). This is exacerbated by a shortage of talent who knows identity-related security issues well, resulting in bad hunts that don’t detect relevant identity-security problems or miss signals that emerge.

The ITDR TL;DR

Identity Threat Detection and Response (ITDR) tools play a crucial role in safeguarding identity systems against threats by, in Gartner’s words, “implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”

The complexity and universality of identity necessitates the need for dedicated ITDR solutions and makes the outsourcing of ITDR to SaaS products like Crosswire a method of reducing costs and enabling in-house teams to specialize in detecting threats specific to their respective environments.

To stay up to date with Crosswire and see how your organization fits into the future of ITDR, contact us for a demo here and subscribe to our blog below!