What is ITDR?
ITDR stands for Identity Threat Detection and Response, a term coined in the 2022 Gartner Report. According to the report, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”
What does an Identity Threat Detection and Response tool do?
Detection and Response
As the name implies, ITDR tools detect identity threats. They detect suspicious activity primarily dynamically (real-time identity compromises in your environment), but they can also cover static issues (gaps in static configurations).
However, detection alone is not enough. Given that identity products tend to produce a sizeable amount of false positives, if an admin has to sift through each one individually, that’s a substantial amount of extra work. Similarly, when there’s an active threat in your environment, time to response becomes crucial to containing a breach and minimizing the attack radius. So, the automated response aspect of ITDR tools helps to ease those problems.
Every organization of significant size has identity problems since there always needs to be some system for identifying employees, machines, and services. As a result, identity practices tend to look substantially similar across most enterprises (a concept we expand on in “CISOs on Identity Security Maturity in the Enterprise”). So, for instance, I can go secure Salesforce’s identity stack and that process will look substantially similar to securing the identity stack at Notion, Asana, and so on. This, coupled with the fact that employee identity management is rarely a revenue center for a business, leads to a logical outsourcing of identity (especially ITDR) to SaaS products.
This helps companies reduce costs because instead of every org using their resources to recreate the same tool, baseline ITDR measures can be implemented and allow in-house teams to specialize. So, continuing the example, now Salesforce’s in-house detection team can specialize in detecting threats specific to Salesforce and Notion’s can focus on detecting threats specific to Notion while their ITDR SaaS covers their shared ground.
Why does identity need its own detection and response solution?
Part of what makes identity so difficult is that there isn’t a good source of truth for identity TTPs, specifically cloud-native IdP TTPs, meaning you need to do a ton of research to identify what’s out there, and then continue maintaining that work.
A common misconception is that identity governance is all that you need in terms of securing your identity, but just because you have access rules and onboarding/offboarding workflows doesn’t mean that you’re detecting threats.
In other words, even proper configuration of your IdP doesn’t save you from needing to look for identity threats. For example, just because you disabled SMS as a second factor for your employees doesn’t mean you’re safe: an attacker could phish one of your IdP admins, enable SMS as a factor, disable an employee’s authenticator factor, and enable SMS to bypass your MFA, so at minimum, you need protections in place that can alert you when these things happen.
Identity threat detection is also not just vanilla detection engineering. Detection engineers have to spend their time on all sorts of things, from network traffic analysis (like firewall logs) to host analysis (like MDM logs) to cloud analysis (like AWS logs). This makes identity tricky because there may not be a dedicated person looking for identity threats, which require dedicated research and analysis, and might require different log sources (like Okta logs) while your detection engineering team divides its attention across several domains.
What about D&R (Detection & Response) Hunts?
The traditional D&R “hunt” model is designed to look for a very specific pattern within a single timespan (for example, >10 GB data exfiltrated over 7 days). On the contrary, identity-related threats often emerge as some kind of abnormal user behavioral pattern that are revealed through continuous observation of a user behavioral baseline (for example, a user has never logged in on this day of the week for the last year). This is exacerbated by a shortage of talent who knows identity-related security issues well, resulting in bad hunts that don’t detect relevant identity-security problems or miss signals that emerge.
The ITDR TL;DR
Identity Threat Detection and Response (ITDR) tools play a crucial role in safeguarding identity systems against threats by, in Gartner’s words, “implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”
The complexity and universality of identity necessitates the need for dedicated ITDR solutions and makes the outsourcing of ITDR to SaaS products like Crosswire a method of reducing costs and enabling in-house teams to specialize in detecting threats specific to their respective environments.
More from our blog
A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.
In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.
CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.
Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.
False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.
We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.
How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?
This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.
This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.
Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).
If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.
IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.
RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.
Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.
Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.
Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.
The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.
It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?
Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.
Five significant ways to improve your workflows with automation and get more results than your resources permit.
Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.
Subscribe to our blog
Get Crosswire's security insights delivered straight to your inbox. No frills, no spams, unsubscribe anytime!